每周数据法律资讯 Data Law Weekly（20250602-20250608）

1. 上海市通信管理局通报50款存在侵害用户权益行为的APP（SDK）

6月5日，上海市通信管理局发布《关于侵害用户权益行为APP的通报（2025年第四批）》，通报显示该局组织第三方检测机构对本市APP（SDK）进行抽查，共发现50款APP（SDK）存在侵害用户权益行为。这些APP（SDK）所涉主要问题包括未明示个人信息处理规则；违规收集个人信息；超范围收集个人信息；自启动和关联启动行为。

【参见：

https://mp.weixin.qq.com/s/Xt5u7gOMpp7R7qcwKc8z2g】

1. Shanghai Communications Administration notified 50 APPs (SDKs) with infringement of user rights and interests

On June 5, Shanghai Communications Administration issued the “Circular on APPs Infringing on User Rights and Interests (Fourth Batch in 2025)”（《关于侵害用户权益行为APP的通报（2025年第四批）》）, which shows that the Administration organized a third-party testing agency to conduct a random inspection of APPs (SDK) in the city, and a total of 50 APPs (SDK) were found to be infringing on users' rights and interests.The primary issues identified in these APPs (SDK) include: failure to clearly disclose personal information processing rules; illegal collection of personal information; collection of personal information beyond the scope of necessity; and unauthorized self-startup and associated startup behaviors.

[Reference:

https://mp.weixin.qq.com/s/Xt5u7gOMpp7R7qcwKc8z2g]

2.《政务数据共享条例》全文公布

6月3日，国务院正式发布《政务数据共享条例》全文。条例适用于政府部门和法律、法规授权的具有管理公共事务职能的组织之间政务数据共享以及相关安全、监督、管理等工作。根据条例规定，政府部门应当按照法定的职权、程序和标准规范收集政务数据，通过共享获取政务数据能够满足履行职责需要的，政府部门不得向公民、法人和其他组织重复收集。

【点击查看《条例》全文：

https://www.gov.cn/zhengce/zhengceku/202506/content_7026295.htm】

2. Full text of the Regulations on the Sharing of Government Data（《政务数据共享条例》）published

On June 3, the State Council officially released the full text of the Regulations on the Sharing of Government Data. The regulations apply to the sharing of government data between government departments and organizations authorized by laws and regulations to perform public affairs management functions, as well as related security, supervision, and management work. According to the regulations, government departments shall collect government data in accordance with the legally defined powers, procedures, and standards. If obtaining government data through sharing can meet the needs of fulfilling their duties, government departments shall not collect the same data from citizens, legal persons, or other organizations.

[Click to view the full text of the Regulations:

https://www.gov.cn/zhengce/zhengceku/202506/content_7026295.htm]

3. 中央网信办发布《第十九批境内区块链信息服务备案编号的公告》

6月3日，中央网信办发布《第十九批境内区块链信息服务备案编号的公告》。本公告共涉及42个境内区块链信息服务者。根据《区块链信息服务管理规定》第十一条的规定，区块链信息服务提供者应当在提供服务之日起十个工作日内通过国家互联网信息办公室区块链信息服务备案管理系统填报服务提供者的名称、服务类别、服务形式、应用领域、服务器地址等信息，履行备案手续。

【参见：

https://www.cac.gov.cn/2025-06/03/c_1750661971448959.htm】

3. The CAC released “Announcement on the Nineteenth Batch of Filing Numbers for Blockchain Information Services in the Territory”(《第十九批境内区块链信息服务备案编号的公告》)

On June 3, the Cyberspace Administration China(CAC) released the Announcement of the Nineteenth Batch of Filing Numbers of Domestic Blockchain Information Services(《第十九批境内区块链信息服务备案编号的公告》). This announcement involves a total of 42 domestic blockchain information service providers. According to Article 11 of the Regulations on the Administration of Blockchain Information Services（《区块链信息服务管理规定》）, blockchain information service providers shall, within ten working days from the date of service provision, fill in information such as the name of the service provider, the service category, the service form, the application field, the server address and other information through the blockchain information service filing management system of the CAC to fulfill the filing procedures.

[Reference:

https://www.cac.gov.cn/2025-06/03/c_1750661971448959.htm]

4. 上海市网信办发布《关于开展人脸识别技术应用备案的通知》

6月3日，上海市网信办发布了《关于开展人脸识别技术应用备案的通知》。《人脸识别技术应用安全管理办法》规定，个人信息处理者应当在应用人脸识别技术处理的人脸信息存储数量达到10万人之日起30个工作日内向所在地省级以上网信部门履行备案手续。此前，国家互联网信息办公室发布了《关于开展人脸识别技术应用备案工作的公告》，明确了备案对象、备案时间、备案方式等。上海市网信办为指导和帮助个人信息处理者规范、有序进行备案工作，发布通知公布相关咨询方式及备案摘要。

【参见：

https://mp.weixin.qq.com/s/pluYjxeFRA3GYa4IKjPf9w】

4. The Cyberspace Administration of Shanghai issued “Notice on the Implementation of Registration for the Application of Facial Recognition Technology”(《关于开展人脸识别技术应用备案的通知》)

On June 3, the Cyberspace Administration of Shanghai issued the “Notice on the Implementation of Registration for the Application of Facial Recognition Technology” (《关于开展人脸识别技术应用备案的通知》) .The “Security Management Measures for the Application of Facial Recognition Technology”(《人脸识别技术应用安全管理办法》) stipulates that personal information processors shall, within 30 working days from the date when the number of facial information processed using facial recognition technology reaches 100,000, register with the provincial-level or higher cyberspace administration department. Previously, the CAC issued the “Notice on the Implementation of the Registration System for the Application of Facial Recognition Technology”(《关于开展人脸识别技术应用备案工作的公告》), clarifying the scope of entities required to register, the registration timeline, and the registration procedures. To guide and assist personal information processors in conducting registration in a standardized and orderly manner, the Shanghai Cyberspace Administration Office now issues this notice to announce relevant consultation channels and a summary of the registration requirements.

[Reference:

https://mp.weixin.qq.com/s/pluYjxeFRA3GYa4IKjPf9w]

1.EDPB发布《向第三国监管机关传输数据的指南》

6月5日，欧洲数据保护委员会EDPB发布了《Guidelines 02/2024 on Article 48 GDPR （Version 2.0）》（《向第三国监管机关传输数据的指南》）。EDPB 在其指南中重点关注了GDPR第 48 条，并阐明了各组织如何才能合法地响应第三国当局（即非欧洲国家当局）的个人数据传输请求。EDPB解释称，第三国当局的判决或决定并不能自动在欧洲得到承认或执行。一般而言，国际协议可以作为传输的法律基础。如果不存在国际协议，或者协议未规定适当的法律基础或保障措施，在特殊情况下，可根据具体情况考虑其他合法性基础。

【点击查看《指南》全文：

https://www.edpb.europa.eu/system/files/2025-06/edpb_guidelines_202402_article48_v2_en.pdf】

1. EDPB published the Guideline on the transfer of data to third country supervisory authorities

On June 5, the EDPB published Guidelines 02/2024 on Article 48 GDPR (Version 2.0). In its guidelines, the EDPB focuses on Article 48 of the GDPR and clarifies how organizations can lawfully respond to requests for the transfer of personal data from third country authorities (i.e., non-European national authorities). EDPB explains that judgments or decisions of third country authorities are not automatically recognized or enforced in Europe. Generally, an international agreement can serve as the legal basis for the transfer. If no international agreement exists, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal basis may be considered on a case-by-case basis in exceptional circumstances.

[Click for the full text of the Guideline:

https://www.edpb.europa.eu/system/files/2025-06/edpb_guidelines_202402_article48_v2_en.pdf]

2. EDPB就简化GDPR规定的记录保存义务进行讨论

6月5日，在EDPB全体会议上，EDPB讨论了欧盟委员会关于就简化中小企业（SMEs）、中小型企业（SMCs）以及员工少于750人的组织的记录保存义务提案征求EDPB与欧洲数据保护监督机构（EDPS）联合意见的请求，该提案旨在对GDPR第30（5）条进行有针对性的修订。EDPB和EDPS将在八周内就此问题发表联合意见。

【点击查阅官方新闻稿：

https://www.edpb.europa.eu/news/news/2025/edpb-publishes-final-version-guidelines-data-transfers-third-country-authorities-and_en】

2.EDPB discussed simplification of GDPR record-keeping obligations

On June 5, during its plenary session, the EDPB discussed the European Commission's request for a joint opinion by the EDPB and the European Data Protection Supervisor (EDPS) on its proposal to simplify the record-keeping obligations of small and medium-sized enterprises (SMEs), small mid-caps (SMCs) and organisations with fewer than 750 employees, amounting to a targeted amendment of Art. 30(5) GDPR. The EDPB and EDPS will issue their joint opinion on this matter within eight weeks. 

[Click to view the official press release:

https://www.edpb.europa.eu/news/news/2025/edpb-publishes-final-version-guidelines-data-transfers-third-country-authorities-and_en]