Take Aways
- On the same day, Wuxi and Sanya each released a case, marking the first enforcement actions in China involving algorithm filing and security assessment obligations. The summoned companies were ordered to remove services and rectify within a specified period.
- The Cyberspace Administration of China (CAC) guided several major platforms to carry out a special campaign to standardize short video content labeling, regulating tag settings and video publishing processes. Six major platforms including Douyin and Kuaishou removed over 37,000 non-compliant short videos (such as fake and staged content), took actions against over 3,400 violating accounts, and applied required labels to more than 600,000 short videos that had previously lacked proper labeling.
- Two recommended national standards, the Guidelines for Personal Information Protection of Small Personal Information Processors and Data Security Technology – Capability Requirements for Professional Institutions Conducting Personal Information Protection Compliance Audits, are now officially under development, with their submission for approval expected in September 2027.
- Overseas, to implement the restrictions on minors’ access to social media, chatbots and other applications introduced in December last year and March this year, the Office of the Australian Information Commissioner (OAIC) issued a privacy guidance on age verification technology, standardizing data collection activities during the verification process.
- Meanwhile, global enforcement actions on data security and personal information protection continue to intensify: Lotte Card in South Korea was fined over KRW 9.6 billion (about USD 6.49 million) for a massive personal information leak; FC Barcelona in Spain was fined EUR 500,000 (about USD 585,000) by the local data protection authority for non-compliant collection of facial recognition data of its members.
Regulative Highlights
Wuxi and Sanya Cyberspace Authorities Respectively Summon Companies Failing to Complete Algorithm Assessment and Filing Obligations
The Administrative Provisions on Algorithm Recommendation for Internet Information Services, which took effect on March 1, 2022, require providers of algorithm recommendation services with public opinion attributes or social mobilization capacity to complete algorithm filing procedures within 10 days of service launch, carry out security assessments, and fulfill information security management obligations. On March 20 this year, the Cyberspace Administration offices of Sanya and Wuxi respectively made public cases in which they conducted regulatory interviews with local companies that had failed to fulfill those obligations. These actions represent first enforcement activities in China targeting algorithm assessment and filing obligations. Details are as follows:
- A company in Wuxi provided generative AI services to users by directly invoking the capabilities of a registered large language model through API interfaces on its website. It failed to register its generative AI application and did not conduct security assessments as required. Penalties included a regulatory interview with the responsible person, an order to immediately take the service offline, and a requirement to carry out security assessment and related procedures.
- A company in Sanya, prior to providing algorithm recommendation services with public opinion attributes or social mobilization capacity, was found to have violated national regulations by failing to carry out security assessments, failing to complete filing procedures as required, and potentially generating harmful information. Penalties included a regulatory interview with the responsible person, ordering rectification within a specified period, and requiring assessment and filing.
CAC Releases Two-Year Results of Implementing the Provisions on Promoting and Regulating Cross-Border Data Flow
The Provisions on Promoting and Regulating Cross-Border Data Flow officially took effect on March 22, 2024, generally easing conditions for cross-border data flow and narrowing the scope of security assessments. Two years on, the main results are as follows:
- The governance system for cross-border data export security has been steadily improved, with the issuance of rules covering cross-border personal information transfer certification and guidelines for specific industries such as finance and automobiles.
- Regulatory processes have been continuously optimized. The third version of the security assessment application guide has further simplified application materials. The pre‑assessment pilot, originally conducted in Beijing, Shanghai, Guangzhou, Tianjin, Jiangsu, and Zhejiang, has been expanded to include eight additional provinces/municipalities such as Fujian and Hainan. Three certification bodies for outbound personal information transfers have been reviewed and approved.
- The free trade zones’ negative lists for data exports have continued to expand. Nine FTZs (ports), including Beijing, Shanghai, and Hainan, have filed and published negative lists covering 22 sectors such as automobiles, retail, and civil aviation.
- In addition, local capabilities for cross-border data services have significantly improved, public outreach on data export security management policies have been strengthened, and international exchanges and cooperation on cross-border data flow have been further deepened.
Cross-Border Data Transfer
On March 1, China’s first national standard on cross-border personal information security management, Data Security Technology – Security Certification Requirements for Cross‑Border Personal Information Processing Activities, officially came into effect. It specifies the basic principles, basic requirements, and protection requirements for the rights and interests of personal information subjects that relevant parties should follow when processing personal information across borders, covering the obligations and responsibilities of domestic personal information processors and overseas recipients, as well as the entire cross‑border personal information processing process.
On March 27, the China Cybersecurity Review, Certification and Market Regulation Big Data Center, together with the Cyberspace Administration of Haidian District, Beijing, issued the Beijing Implementation Guidance on Personal Information Outbound Certification (First Edition). It further clarifies the core elements of personal information outbound certification, including applicable scenarios, application methods, certification requirements, and supervision and management. This is the first local‑level operational guidance document issued since the implementation of the Personal Information Protection Law that specifically addresses the “personal information protection certification” pathway of cross-border personal information transfer.
On March 27, Beijing released the 3.0 Version of the Comprehensive Supporting Reform Plan for Facilitating Cross‑Border Data Flows, focusing on six key sectors including healthcare and artificial intelligence, and adopting a sector‑specific approach. The plan also targets six distinctive areas, such as the International Pharmaceutical Innovation Park and the Law–Business Integration Demonstration Zone, to build “one zone, one brand” cross‑border data service offerings, further advancing reforms to facilitate cross‑border data flows. As of March 2026, 312 enterprises in Beijing have passed data export security assessments or completed filings under the standard contract mechanism.
Data Standards
On March 11, the Standardization Administration of China (SAC) issued a plan for 16 recommended national standards, including Guidelines for Personal Information Protection of Small Personal Information Processors and Data Security Technology – Capability Requirements for Professional Institutions Conducting Personal Information Protection Compliance Audits, scheduled for submission for approval on September 2, 2027.
Data Security
As the open-source AI agent OpenClaw has rapidly gained adoption but presents prominent security risks such as excessive permissions, insufficient default security settings, and a high likelihood of data breaches, multiple authorities including the China National Vulnerability Database of Information Security, the National Computer Network Emergency Response Technical Team, the Data and Technology Support Center of the CAC, CNIPA, and the National Internet Finance Association of China issued risk alerts regarding OpenClaw. On March 31, the National Cybersecurity Standardization Technical Committee publicly solicited comments on the Cybersecurity Standard Practice Guide – Security Guidelines for the Deployment and Use of OpenClaw‑Like Agents (Draft for Comments). This Guide applies to individual users who deploy OpenClaw‑like agents on their own, or to organizations that deploy or use such agents for internal personnel. The security protection of commercial agents shall refer to other relevant policies and standards.
Data Enforcement
On March 3, the Supreme People’s Court released a set of typical cases on lawfully punishing online violence–related crimes, covering issues such as online insults and defamation; exposing others’ personal information through online “doxxing” to facilitate defamation; posting and reposting negative information about enterprises online and engaging in extortion by demanding fees for content removal; and malicious online attacks undermining the reputation of corporates and entrepreneurs.
On March 21, the CAC guided online platforms to fully standardize short video content labeling, regulating the design and use of content labels, requiring labeling as a mandatory step before publishing, and conducting phased retrospective reviews to add or supplement labels for existing short‑form videos. Over the past month, six major platforms (Douyin, Kuaishou, Tencent, Xiaohongshu, Bilibili, and Weibo) removed over 37,000 non-compliant videos (e.g., fake staged content), took actions against over 3,400 violating accounts, supplemented labels to over 600,000 videos, and issued 18 governance reports.
On March 17, Beijing launched the "Clear and Bright Beijing – AI for Good" Special campaign, targeting the use of AI to generate pornographic or vulgar content, fake and infringing information, false rumors, as well as the sale of or instruction on methods to remove AI‑generated content labels. Platforms are urged to improve AI-generated content identification, review, and removal capabilities.
Various authorities continued APP supervision. On March 6, the Shanghai Communications Administration notified 14 problematic apps and removed 10 that refused to rectify on March 20. On March 13, the Ministry of Industry and Information Technology notified 24 non-compliant apps (SDKs). On March 16, the Beijing Communications Administration notified 4 apps for ineffective rectification. On March 31, the National Computer Virus Emergency Response Center reported 71 mobile apps for illegally collecting personal information.
Worldwide News
On March 11, Lotte Card was fined KRW 9.62 billion (about USD 6.5 million) by the Personal Information Protection Commission of South Korea (PIPC). The penalty followed a data breach in September 2025, which compromised the personal credit information of approximately 2.97 million users — including the resident registration numbers of 450,000 individuals. PIPC found that Lotte had committed critical security lapses, specifically storing users’ sensitive data in plaintext, processing ID numbers beyond authorized limits, and failing to implement encryption measures.
On March 5, FC Barcelona was fined EUR 500,000 (about USD 585,000) by Spanish Data Protection Authority (AEPD). The penalty followed the club's collection of facial selfies from approximately 143,000 members - classified as biometric data - during a member census update, with numerous material deficiencies identified in the Data Protection Impact Assessment submitted by the club.
Oklahoma Senate Bill 546 (SB 546) of privacy has been formally enacted and will take effect on January 1, 2027. The law applies to businesses operating in Oklahoma that either process personal data of over 100,000 consumers, or process data of at least 25,000 consumers while deriving most of their revenues from the sale of personal data. It grants consumers the right to access, correct, delete, and obtain copies of their personal data, as well as opt out of the sale of their personal data and certain targeted advertising practices.
On March 17, the Office of the Australian Information Commissioner (OAIC) released privacy guidance on age assurance technologies. Australia has prohibited children under 16 from registering social media accounts since December 2025, and in March 2026 further imposed age verification requirements on a wider range of online services - including chatbots, search engines and games - to shield minors from harmful content, driving a continuous surge in online age verification scenarios and demand. OAIC emphasized that age assurance must not serve as a “blank cheque” to use personal. The guidance requires platforms to first assess the necessity of age checks, adhere to the principles of proportionality and necessity, obtain clear consent when collecting sensitive information, improve privacy notices, and establish accessible complaints mechanisms. Failure to meet these obligations may still trigger compliance or enforcement action.
