Takeaways
- China continues to refine its regulatory framework for AI services. The Cyberspace Administration of China (CAC) releases the Interim Measures for the Management of Artificial Intelligence Anthropomorphic Interactive Services, which sets forth new compliance requirements for agent such as virtual lovers and virtual relatives. A significant challenge for service providers to balance service delivery with robust personal information protection has been posed by these requirements, including anti-addiction prompts, enhanced minor protection, user risk behavior intervention, and mandatory risk assessments.
- The Administrative Measures on Digital Human Information Services and the Provisions on Simplified Measures for Personal Information Protection by Small-scale Personal Information Processors are soliciting public comments. The Digital Human Measures largely align with the new regulations on anthropomorphic interaction services, requiring service providers to label digital human-generated content and strengthen protection for minors. Additionally, the Measures require the legality of source materials and content safety management, tailored to the common irregularities in practice. The latter offer reduced compliance requirements for entities handling the personal information of fewer than 100,000 individuals within China, including exemptions from drafting standalone privacy policies or notifying data subjects individually. It also introduces a compliance audit self-checklist, allowing firms to fulfill internal management obligations through a simplified checkbox format.
- Overseas, EDPB issued two decisions regarding EU privacy certification. For the first time, EU allows companies established outside the European region to utilize the “Europrivacy” certification path to facilitate the cross-border transfer of EU personal information to their overseas headquarters.
Regulatory Highlights
CAC Releases the Interim Measures for the Management of Artificial Intelligence Anthropomorphic Interactive Services
The Interim Measures for the Management of Artificial Intelligence Anthropomorphic Interactive Services (the Interim Measures) will take effect on July 15. They primarily apply to services that use artificial intelligence technologies to provide the public within China with continuous emotional interaction, simulating human personality traits, thinking patterns, and communication styles, including services delivered via text, images, audio, video, etc. for emotional care, companionship, and support. Conversely, the Interim Measures do not apply to services such as intelligent customer service, knowledge Q&A, work assistants, education and learning, and scientific research. This means specialized agents such as virtual lovers and role-playing bots clearly fall under the jurisdiction of the Interim Measures. However, whether general-purpose conversational AI is covered still needs to be determined based on factors such as its memory and role-playing functionalities, as well as case-by-case determinations in subsequent enforcement practice.
In addition to basic obligations for Large Language Models, such as content management, algorithm mechanism review, technology ethics reviews, and full-lifecycle network and data security management, the Interim Measures specify a series of targeted obligations for anthropomorphic interactive service providers, details are as follows:
- Targeted requirements on information content management: It is prohibited to generate content that violates laws and regulations, harms physical and mental health, or induces the disclosure of national secrets and personal information. Furthermore, emotional manipulation and the inducement of dependency or addiction are explicitly banned.
- User intervention and emergency response mechanism: Users shall register and provide necessary information including age, guardian details, and emergency contacts. In the event of extreme emotional states, major financial loss, or life‑threatening situations such as self-harm or suicide, appropriate assistance shall be provided, and the guardian/emergency contact shall be promptly notified.
- Enhanced protection of minors: Effectively identify minor users. Provision of virtual intimate relationship services to minors is prohibited. Provision of other anthropomorphic interaction services to minors under the age of 14 shall require guardian consent. A minor protection mode shall be established and automatically applied to identified minor users, supporting functions such as enabling guardians to receive safety risk alerts, blocking specific characters, and restricting top-ups and spending.
- Strengthening user data protection: Providing interaction data to third parties and using user data for model training are supposed to obtain explicit consent; the latter specifically requires separate consent. Reliance solely on opt-out mechanisms poses a non-compliance risk.
- AI-generated content labelling and anti-addiction notice obligations: In addition to general disclosures indicating non-human interaction, where addictive tendencies are identified, prominent dynamic notices (e.g., pop-ups) shall be used to indicate that the interaction content is AI-generated. Where usage exceeds two hours, the duration of use shall be reminded via dialogue prompts, pop-ups, or other means.
- Security assessment for anthropomorphic interaction services: Security assessments shall be conducted for newly launched services, addition of relevant functionalities, or any major changes to services, and reports shall be submitted to the provincial-level cyberspace administration.
CAC Solicits Public Comments on the Administrative Measures on Digital Human Information Services (Draft)
The Administrative Measures on Digital Human Information Services (Draft) were released to solicit public comments on April 3. In addition to standard data security protection, algorithm filling, and content management obligations, providers and users of digital virtual human services must also adhere to the following specific requirements under the Draft:
- The generation of virtual digital humans shall respect others’ personality rights, intellectual property rights, and other lawful interests: The use of sensitive personal information of natural persons for model or image generation shall require separate consent. Others’ personality rights shall not be infringed through derogatory or defaming representations, and identifiable information such as another person’s likeness, voice, or pen name shall not be used without authorization.
- Enhanced minor protection: Virtual intimate relationship services and inducement on addiction or excessive consumption are all prohibited.
- Labeling “digital human”: In addition to AI-generated content labeling, the Draft introduces a requirement to continuously display significant notice containing the word “digital human” throughout the display area.
- Content management obligations: In addition to general information management requirements such as not endangering national security or violating public order and good morals, the Draft sets forth specific requirements tailored to digital humans, including prohibiting using them to circumvent real-name authentication mechanisms, prohibiting infringement of the lawful rights and interests of real-person operators (including personal information protection and freedom of employment), and prohibiting illegal activities such as false advertising and telecom fraud. Where service providers become aware of unlawful use of their services, they shall proactively take appropriate measures and, where necessary, suspend or terminate the provision of services.
CAC Solicited Public Comments on the Provisions on Simplified Measures for Personal Information Protection by Small-scale Personal Information Processors (Draft)
The Provisions on Simplified Measures for Personal Information Protection by Small-scale Personal Information Processors (Draft) apply to small personal information processors within China that handle the personal information of fewer than 100,000 individuals. The provisions introduce a series of compliantly simplified arrangements covering the entire personal information processing. The main contents are as follows:
- Simplification of the obligation to formulate personal information processing rules: In terms of content, the rules shall include three basic elements: the name of the processor, contact details, and processing rules. In terms of format, a standalone document is not mandatory but can be publicly displayed on-site or incorporated into a user agreement. Meanwhile, administrators of industrial parks, industrial bases, commercial properties and internet platforms are permitted to uniformly formulate the privacy policies, which can be adopted by eligible enterprises by declaration.
- Simplification of the notification and consent obligations: Eligible enterprises operating on internet platforms (e.g., e-commerce merchants collect personal information for business necessity and do not provide to third parties), cases where sensitive information processing rules have been declared and the data is voluntarily provided by the subject, and situations where notifying individuals is objectively impossible following a personal information security incident can adopt simplified notification and consent procedures.
- Simplification of internal compliance management: The provisions introduce Personal Information Protection Compliance Audit Self-review Form and Personal Information Protection Impact Assessment Form, allowing small processors to conveniently complete compliance audits (required once every five years) and impact assessments using a checkbox format.
- Clarifying the circumstances of relieving and mitigating liability: The Draft specifies circumstances under which penalties may be waived, mitigated or reduced, including minor violations, first-time violations, proactively eliminating or reducing harmful consequences, and active cooperation with investigations.
Artificial Intelligence
On April 2, ten departments including the Ministry of Industry and Information Technology (MIIT) issued the Measures for Ethical Review and Service of Artificial Intelligence Technology (Trial). Building on the Measures for Science and Technology Ethical Review (Trail) implemented at the end of 2023, the new document further clarifies national-level support and promotion measures, as well as the detailed procedures for conducting ethical review.
On April 28, Capcut app, Maoxiang app and Dreamina AI website were penalized by the local cyberspace authorities for failing to effectively implement the requirements for labeling AI-generated and synthetic content. The primary penalties included summoning their operators, ordering rectifications, issuing warnings and imposing strict penalties on responsible personnel.
On April 30, CAC deployed a three-month Clear and Bright – Rectifying the Abuse of AI Applications special campaign. It will be carried out in two phases. The first one will focus on cleaning up and rectifying illegal AI applications, enhancing the regulation of AI generation and synthesis technology and content labelling, as well as promoting online platforms to improve their ability to identify fake content. The second phase will focus on the prominent issues such as using AI technology to create and publish rumors, false information, pornographic and vulgar content, as well as impersonating others and engaging in online water army activities. This phase will also remove related illegal and harmful information, while penalizing violations committed by non-compliant accounts, MCN organizations and other online platforms.
On April 23, the State Administration for Market Regulation (SAMR) deployed to deepen the governance of online advertising ecosystem. AI-generated advertisements have been identified as a key for market order rectification over the next six months. SAMR emphasized the requirement to label AI-generated advertisements in accordance with regulations and stepped up efforts against the use of AI to impersonate or fabricate experts, scholars, or other celebrities in false adverting and other illegal practices.
In April, China continued to advance the implementation of AI policies and their application across various scenarios. On April 2, the National Medical Products Administration issued the Implementation Opinion on “AI + Drug Regulation”, aiming to promote the in-depth integration of AI with drug regulation and accelerate the development of a nationally-integrated drug smart-regulation system. On the same day, five departments including the Ministry of Education issued the “AI + Education” Action Plan, aiming to integrate intelligent technologies across all aspects and scenarios of education and accelerate to construct a new model of smart education. On April 17, the National Development and Reform Commission announced plans to introduce policies promoting private investment in the fields including digital economy and AI, with the aim of further energizing private capital participation in the AI industry.
Cross-Border Data Transfer
On April 7, the Regulations on Countering Foreign Improper Extraterritorial Jurisdiction officially took effect. The Regulations provide that foreign organizations or individuals that promote or participate in the implementation of improper extraterritorial jurisdiction measures, thereby being placed in the list of malicious entities, may face restrictions or prohibitions on organizations and individuals in China providing them with data or personal information, or engaging in transactions and cooperation with them.
On April 15, the Implementation Guidance on Negative List For Cross-Border Data Transfers in China (Jinagsu) Pilot Free Trade Zone Suzhou Area (Trail) was officially released. Since the introduction of the negative list in August 2025, companies such as Qichacha and Johnson & Johnson have completed cross-border data transfers through filings under the list. The newly issued Guidance further implements the requirements of the negative list. While supporting companies within the zone in applying negative lists issued across different regions nationwide, it also clarifies the specific procedures for carrying out cross-border data transfers.
On April 24, the Shanghai Cyberspace Administration and Shanghai Data Bureau jointly released the Interim Measures for Managing the Negative Lists for Cross-Border Data Transfers, extending the scope of application from the free trade zones to the entire municipality. The updated negative list covers 109 data items across four sectors, including reinsurance, international shipping, trade, and meteorology. It also relaxes compliance requirements for certain cross-border data transfer scenarios and further streamlines cross-border data transfer procedures for both foreign-founded and domestic companies, reducing overall compliance costs.
Personal Information Protection
On April 2, CAC, together with MIIT and Ministry of Public Security (MPS) launched a special campaign for personal information protection in 2026. The campaign targets illegal and non-compliant collection and use of personal data in key sectors such as App/SDK, online advertising, education, transportation, healthcare, and finance. It will also carry out focused enforcement across seven major sectors related to personal information violations and crimes.
On April 29, CAC published Q&A concerning personal information protection policies and regulations, clarifying the statistical method for personal information. Specifically, the quantity should be calculated based on the number of natural persons whose personal information is currently being processed by the processor, excluding any personal information that has already been deleted.
Cybersecurity
CAC, MIIT and MPS have jointly issued the Cybersecurity Label Management Measures, which will take effect on July 1, 2026. The measures apply to products with internet connectivity and establish a three-tier cybersecurity labeling system based on the level of security capability: one-star (basic), two-star (enhanced), and three-star (advanced). Each tier carries progressively higher security requirements, with the advanced level requiring third-party penetration testing.
Data Enforcement
On April 28, CAC released the Report on the Development of Cyber Rule of Law in China (2025). In 2025, cyberspace authorities nationwide summoned 5,811 websites and platforms for regulatory talks, issued 1,646 warnings, imposed fines on 521 websites and platforms, and, together with telecommunications regulators, deregistered and shut down a total of 9,637 websites and apps.
On April 15, the Zhejiang Cyberspace Administration reported their online enforcement activities for March. A Hangzhou-based technology company has failed to take necessary technical and other data protection measures, with weak password vulnerabilities in its servers. Hackers exploited those vulnerabilities, resulting in oversea data exfiltration. The company was issued a warning and fined CNY 50,000 (about USD 7,358).
Various authorities continued APP regulation. On April 2, the Computer Information System Security Product Quality Supervision and Inspection Center of the MPS reported 37 APPs that were illegally or non-compliantly collecting and using personal information. On April 17, the Shanghai Cyberspace Administration disclosed the first batch of personal data collection and usage issues found in locally operated APPs and mini-programs for parks and tourist attractions in 2026. On April 27 and 30, CAC and the National Computer Virus Emergency Response Cetner reported 33 and 67 APPs and mini-programs with similar violations respectively. In addition, on April 23, Cyber Security Association of China reported that five APPs across four categories, including online games, online car-hailing, mail express, and security management, had completed corrective actions to address issues such as excessive data collection, overuse of sensitive permissions, permission settings, and difficulties with account cancellation.
On April 14, the SPC released the Typical Intellectual Property Cases of the People’s Court in 2025, including an unfair competition case arising from the illegal scraping and use of data from another platform. The defendant used a price-comparison plugin to obtain users’ cookies from the plaintiff’s e-commerce platforms, bypassing multiple anti-scaping measures to illegally collect product data. The defendant then provided paid data products and services on its own platform. In the first instance, Ningbo Intermediate People’s Court held that the defendant’s conduct constituted unfair competition and ordered compensation of CNY 5,000,000 (about USD 736,085).
Worldwide News
On April 15, the European Data Protection Board (EDPB) issued two opinions regarding Europrivacy, the EU-wide data protection certification. The first opinion allows companies established outside the European region, but still subject to the GDPR, to apply for Europrivacy certification to demonstrate that their data processing activities comply with GDPR requirements. The second opinion clarifies that the Europrivacy certification can be used as a mechanism for cross-border data transfers. This marks the first time the EU has introduced a privacy certification mechanism specifically for international data transfers. Companies outside the EU can now rely on Europrivacy as a pathway to transfer data across borders to their overseas headquarters.
On April 20, the French National Agency for Security Documents confirmed that its information system experienced a security incident on April 15, resulting in unauthorized access to certain users’ personal data. The affected information may include users’ names, email addresses, and dates of birth, as well as the home addresses, birthplaces, and telephone numbers of certain individuals. French judicial authorities have already launched an investigation into the matter.
