每周数据法律资讯 Data Law Weekly（20250519-20250525）

1. 公安部、国家互联网信息办公室等六部门联合公布《国家网络身份认证公共服务管理办法》

5月23日，公安部、国家互联网信息办公室、民政部、文化和旅游部、国家卫生健康委员会、国家广播电视总局等六部门联合公布《国家网络身份认证公共服务管理办法》，自2025年7月15日起施行。管理办法共16条，主要规定了四个方面内容：一是明确了国家网络身份认证公共服务及网号、网证的概念、申领方式；二是明确了使用国家网络身份认证公共服务的效力、应用场景；三是强调了国家网络身份认证公共服务平台、互联网平台等对数据安全和个人信息保护的责任；四是对未成年人申领、使用国家网络身份认证公共服务作出特殊规定。管理办法明确网号、网证的自愿使用原则，鼓励有关主管部门、重点行业、互联网平台按照用户自愿原则推广应用网号、网证，但同时保留、提供现有的或者其他合法方式进行登记、核验身份。鼓励互联网平台接入国家网络身份认证公共服务，但应当保障未使用网号、网证的用户与使用网号、网证的用户享有同等服务。

【点击查阅办法全文：

https://www.mps.gov.cn/n6557558/c10087550/content.html】

1. The MPS, the CAC and other four departments jointly issued the “National Network Identity Authentication Public Service Management Measures”（《国家网络身份认证公共服务管理办法》）

On May 23, the Ministry of Public Security(MPS), the Cyberspace Administration of China(CAC), the Ministry of Civil Affairs, the Ministry of Culture and Tourism, the National Health Commission, the National Radio Television Administration jointly issued the “National Network Identity Authentication Public Service Management Measures”（《国家网络身份认证公共服务管理办法》）, which will come into force from July 15, 2025 onwards. The Management Measures consists of 16 articles, which mainly stipulate four aspects: first, it clarifies the concept and application method of the national network identity authentication public service and the network number and certificate; second, it clarifies the effectiveness and application scenarios of the use of the national network identity authentication public service; third, it emphasizes the responsibility of the national network identity authentication public service platform, internet platforms and other platforms for the security of data and the protection of personal information; and fourth, special provisions are made for minors to apply for and use the national public service of network identity authentication. Management measures to clarify the net number, net certificate of voluntary use of the principle of encouraging the relevant authorities, key industries, Internet platforms in accordance with the principle of voluntary user to promote the application of the net number, net certificate, but at the same time to retain, provide the existing or other legitimate means of registration, verification of identity. Internet platforms are encouraged to access the national network identity authentication public service, but should guarantee that users who do not use a network number or network certificate enjoy the same services as those who use a network number or network certificate.

[Click to view the full text of the measures:

https://www.mps.gov.cn/n6557558/c10087550/content.html]

2. 国家互联网信息办公室发布第十一批深度合成服务算法备案信息

2025年5月19日，国家互联网信息办公室公开发布第十一批境内深度合成服务算法备案信息，本批次备案清单中共有211项算法。根据《互联网信息服务深度合成管理规定》第十九条的规定，具有舆论属性或者社会动员能力的深度合成服务提供者，应当按照《互联网信息服务算法推荐管理规定》履行备案和变更、注销备案手续。深度合成服务技术支持者应当参照履行备案和变更、注销备案手续。尚未履行备案手续的深度合成服务提供者和技术支持者应当尽快申请备案。

【参见：

https://www.cac.gov.cn/2025-05/19/c_1749365589879703.htm】

2. The CAC Released the Eleventh Batch of Deep Synthesis Service Algorithm Filing Information

On May 19, the Cyberspace Administration of China (CAC) publicly released the eleventh batch of filing information on algorithms for deep synthesis services within the territory, and there are 211 algorithms in this batch of filing list. According to the provisions of Article 19 of the “Administrative Provisions on Depth Synthesis of Internet Information Services”（《互联网信息服务深度合成管理规定》）, providers of depth synthesis services with public opinion attributes or social mobilization capabilities shall perform the filing and change and cancellation filing procedures in accordance with the “Administrative Provisions on Recommendation of Algorithms for Internet Information Services”（《互联网信息服务算法推荐管理规定》）. Technical supporters of deep compositing services shall refer to the fulfillment of the filing and change and cancellation filing procedures. Deep synthesis service providers and technical supporters that have not yet fulfilled the filing procedures shall apply for filing as soon as possible.

[Reference:

https://www.cac.gov.cn/2025-05/19/c_1749365589879703.htm]

3. 公安部通报35款违法违规收集使用个人信息的移动应用

5月20日，公安部计算机信息系统安全产品质量监督检验中心检测发现，在应用宝中35款应用存在违法违规收集使用个人信息的情况，并进行了通报。这些移动应用涉及的问题有，未以结构化清单的方式逐一列出收集、使用个人信息规则；实际收集的个人信息超出用户授权范围；个人信息保护政策中描述收集的个人信息与业务功能无直接关联；申请的可收集个人信息的权限与业务功能没有直接关联；提前要求用户授权当前未使用的特定功能所需的权限；实际收集的个人信息与业务功能没有直接关联；实际收集个人信息的频率与业务功能没有直接关联；未向用户提供更正或补充其个人信息的具体途径；广告存在误导、欺骗用户行为。

【参见：

https://mp.weixin.qq.com/s/4JB4OJw3yDWKh_9Fe2-klQ】

3. The Ministry of Public Security notified 35 mobile applications that illegally collected and used personal information in violation of the law

On May 20, the MPS Quality Supervision and testing Center of Security Products for Computer Information Systems detected and notified 35 apps in Yingyongbao of illegal and irregular collection and use of personal information. The problems involved in these mobile apps include: failure to itemize rules for the collection and use of personal information in a structured list; actual collection of personal information exceeding the scope of user authorization; personal information protection policy describing that the personal information collected is not directly related to the business function; applying for permissions that can be used to collect personal information that are not directly related to the business function; requesting in advance that the user authorize the permissions required for a specific function that is not currently in use; the actual collection of personal information is not directly related to business functions; the frequency of the actual collection of personal information is not directly related to business functions; the user is not provided with a specific way to correct or supplement his/her personal information; and the advertisements are misleading or deceptive to the user.

[Reference:

https://mp.weixin.qq.com/s/4JB4OJw3yDWKh_9Fe2-klQ]

4. 中央网信办持续加强信息推荐算法治理，抖音、小红书、微博等重点平台发布内容推荐算法优化公告

近日，在“清朗·网络平台算法典型问题治理”专项行动背景下，针对网民反映强烈的算法推荐加热低俗信息、加剧“信息茧房”、加重观点极化等问题风险，中央网信办督促指导了重点平台针对性优化信息推荐算法功能、调整信息推荐算法规则。重点平台积极响应，签署“算法向善”南宁宣言，完善算法推荐内容审核，开设专门网站、频道或账号集中公开算法规则原理，开发上线“茧房评估”“一键破茧”等创新功能，完善用户兴趣偏好管理服务，提升算法推荐内容多样性。其中，抖音、小红书、微博、快手、微信视频号、哔哩哔哩等平台近期相继发布了相应内容推荐算法优化公告，围绕正能量内容加权推荐、用户自主选择权保障、推荐内容多样性优化、提升算法透明度等核心环节，系统性优化完善多项功能。

【参见：

https://mp.weixin.qq.com/s/3oaVD-WsDvF_LYTKDf9Mfg】

4. The CAC continues to strengthen the governance of information recommendation algorithms, with key platforms such as Douyin, Xiaohongshu, and Weibo releasing announcements on the optimization of their content recommendation algorithms

Recently, under the special campaign of ““Clear and Bright: Addressing Typical Issues with Algorithms on Online Platforms”, the Cyberspace Administration of China (CAC) has urged key platforms to optimize their information recommendation algorithms and adjust their algorithmic rules in response to public concerns about algorithms amplifying low-quality content, exacerbating “information cocoons”, and intensifying polarization of viewpoints. Key platforms have actively responded by signing the “Algorithms for Good” Nanning Declaration, improving content review for algorithm recommendations, establishing dedicated websites, channels, or accounts to publicly disclose algorithm rules and principles, developing and launching innovative features such as “information cocoon assessment” and “one-click cocoon break”, and enhancing user interest preference management services to increase the diversity of algorithm-recommended content. Among them, platforms such as Douyin, Xiaohongshu, Weibo, Kuaishou, WeChat Channels, and Bilibili have recently successively released announcements on optimizing their content recommendation algorithms. These announcements focus on core areas such as prioritizing positive content, safeguarding users’ autonomy in content selection, optimizing the diversity of recommended content, and enhancing algorithm transparency, systematically optimizing and improving multiple functions.

[Reference:

https://mp.weixin.qq.com/s/3oaVD-WsDvF_LYTKDf9Mfg]

5. 《敏感个人信息处理安全要求》、《生成式人工智能服务安全基本要求》等4项国家标准全文公布

近日，《数据安全技术敏感个人信息处理安全要求》（GB/T 45574-2025）、《网络安全技术生成式人工智能服务安全基本要求》（GB/T 45654-2025）、《网络安全技术生成式人工智能预训练和优化训练数据安全规范》（GB/T 45652-2025）、《网络安全技术生成式人工智能数据标注安全规范》（GB/T 45674-2025）等4项国家标准全文内容正式公布。前述4项国家标准均将自2025年11月1日起正式实施。

【点击查阅相关国家标准全文：

《数据安全技术敏感个人信息处理安全要求》：

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=F9F3A2EBF49E9B4D73AD8C8912986D5A；

《网络安全技术生成式人工智能服务安全基本要求》：

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=F67D3F376E0A0A0FF5317FB36B32A30A；

《网络安全技术生成式人工智能预训练和优化训练数据安全规范》：

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=82710B59110419C285BDC48AB4D7D1F3；

《网络安全技术生成式人工智能数据标注安全规范》：

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=407584DD0FA2BA19E62E85D3469290B0】

5. Four national standards, including “Security Requirements for the Processing of Sensitive Personal Information” and “Basic Security Requirements for Generative Artificial Intelligence Services” have been fully published

Recently, the following national standards have been published: “Data Security Technology - Security Requirements for the Processing of Sensitive Personal Information” (GB/T 45574-2025), “Cybersecurity Technology - Basic Security Requirements for Generative Artificial Intelligence Services” (GB/T 45654-2025), “Cybersecurity Technology - Security Specifications for Pre-training and Optimization Training Data for Generative Artificial Intelligence” (GB/T 45652-2025), and ‘Cybersecurity Technology - Security Specifications for Data Annotation for Generative Artificial Intelligence’ (GB/T 45674-2025) have been officially published in full. The aforementioned four national standards will take effect on November 1, 2025.

[Click to view the full text of the relevant national standards:

“Data Security Technology - Security Requirements for the Processing of Sensitive Personal Information”:

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=F9F3A2EBF49E9B4D73AD8C8912986D5A;

“Cybersecurity Technology - Basic Security Requirements for Generative Artificial Intelligence Services”:

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=F67D3F376E0A0A0FF5317FB36B32A30A;

“Cybersecurity Technology: Security Specifications for Generative Artificial Intelligence Pre-training and Optimization Training Data”:

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=82710B59110419C285BDC48AB4D7D1F3;

“Cybersecurity Technology: Security Specifications for Generative Artificial Intelligence Data Annotation”:

https://openstd.samr.gov.cn/bzgk/gb/newGbInfo?hcno=407584DD0FA2BA19E62E85D3469290B0]

1. 美国众议院对中国汽车制造商比亚迪展开调查，调查内容涉数据安全与网络安全

5月21日，美国国会众议院国土安全委员会致函中国汽车制造商比亚迪北美公司首席执行官及其子公司联席首席执行官，要求其提供有关公司结构、数据安全措施及运营足迹的详细资料。信函指出，该车企的电动巴士配备实时定位、蜂窝调制解调器、车载监控及云端管理软件，广泛应用于美国公交系统及学区，可能涉及敏感地点如军事设施、政府大楼或学校周边。这些车辆产生的数据流若通过外国控制的组件或云端处理，可能被利用，威胁美国运营安全与公共安全。其中，委员会要求比亚迪提供数据收集、存储及传输政策，说明是否与中国共享数据；车辆软件及系统的网络安全评估；是否遵守中国特定的法律法规等，以及中国机构是否要求获取数据等。委员会警告，若比亚迪未能按时提交相应文件，可能面临进一步强制措施。

【参见：

https://www.bloomberg.com/news/articles/2025-05-21/byd-documents-sought-by-house-panel-in-probe-of-us-electric-bus-unit】

1. The U.S. House of Representatives launched an investigation into Chinese automaker BYD, involving data security and cybersecurity

On May 21, the U.S. House of Representatives Committee on Homeland Security sent a letter to the CEO of BYD North America and the co-CEOs of its subsidiaries, requesting detailed information regarding the corporate structure, data security practices and operational footprint. The letter noted that the automaker’s electric buses are equipped with real-time location tracking, cellular modems, in-vehicle monitoring, and cloud-based management software, and are widely used in U.S. public transportation systems and school districts, potentially involving sensitive locations such as military facilities, government buildings, or school campuses. Data streams generated by these vehicles, if processed through foreign-controlled components or cloud services, could be exploited to threaten U.S. operational security and public safety. The committee has requested that BYD provide its data collection, storage, and transmission policies, clarify whether data is shared with China, submit cybersecurity assessments of vehicle software and systems, confirm compliance with China-specific laws and regulations, and disclose whether Chinese authorities have requested data. The committee warned that if BYD fails to submit the required documents by the deadline, it may face further enforcement actions.

[Reference:

https://www.bloomberg.com/news/articles/2025-05-21/byd-documents-sought-by-house-panel-in-probe-of-us-electric-bus-unit]

2. 欧盟委员会发布第四个综合简化一揽子方案, 包括减轻中小企业的GDPR合规负担

5月21日，欧盟委员会正式发布第四个综合简化一揽子方案（Fourth Omnibus Simplification Package），该措施旨在平衡企业竞争力与监管合规之间寻求新的均衡点。据称，该措施可为欧盟企业每年额外节省4亿欧元的行政成本。同时，这些措施将通过引入一个新类别——小型中等市值公司（SMCs）——来减轻合规义务，并释放资源用于增长和投资。此外，该措施还对GDPR第30条关于处理活动记录的义务进行了结构性修订，包括仅要求处理活动可能对数据主体的权利和自由造成“高风险”时才强制要求保留记录以及将豁免范围扩大至SMCs和员工人数少于750人的组织。

【参见：

https://single-market-economy.ec.europa.eu/publications/omnibus-iv_en】

2. The European Commission published its Fourth Omnibus Simplification Package, which includes measures to reduce the GDPR compliance burden on minor enterprises

On May 21, the European Commission officially released its fourth simplified omnibus package (Fourth Omnibus Simplification Package), which aims to strike a new balance between business competitiveness and regulatory compliance. According to reports, the measures are expected to save EU businesses an additional €400 million in administrative costs each year. Additionally, these measures will reduce compliance obligations by introducing a new category—Small Mid-Caps（SMCs）—and free up resources for growth and investment. Furthermore, the measures include structural revisions to the obligations under Article 30 of the GDPR regarding the record-keeping of processing activities，including only requiring record retention when processing activities may pose a “high risk” to the rights and freedoms of data subjects, and expanding the scope of exemptions to include SMCs and organizations with fewer than 750 employees.

[Reference:

https://single-market-economy.ec.europa.eu/publications/omnibus-iv_en]

3. 意大利数据保护监管机构对美国AI聊天机器人Replika处以500万欧元处罚

5月19日，意大利数据监管机构新闻报道显示，其对聊天机器人Replika隶属的美国公司Luka Inc. 处以500万欧元罚款，并启动了一项独立调查以评估其背后的生成式人工智能系统是否适当地处理个人数据。该聊天机器人具有文字与语音界面，允许用户生成一个“虚拟朋友”充当知己、治疗师、伴侣或导师。意大利监管机构发现，Replika存在未能说明个人数据处理活动的合法性基础、违反透明度原则、未实施年龄验证机制等多项违法行为。

【参见：

https://gpdp.it/home/docweb/-/docweb-display/docweb/10132048】

3. Italian Data Protection Authority fines US AI chatbot Replika €5 million

On May 19, the Italian Data Protection Authority announced that it had fined Luka Inc., the US company behind chatbot Replika, €5 million and launched an independent investigation to assess whether the underlying AI system had appropriately processed personal data. The chatbot features written and voice interfaces, allowing users to create a “virtual companion” to serve as a confidant, therapist, romantic partner, or mentor. The Authority found that Replika failed to clarify the legal basis for its personal data processing activities, violated transparency principles, and did not implement age verification mechanisms, among other violations.

[Reference:

https://gpdp.it/home/docweb/-/docweb-display/docweb/10132048]