China Publishes First Personal Information Protection Report
China’s top internet regulator has published its first-ever comprehensive annual report on personal information protection, marking a strategic shift from broad, principle-based regulations toward more refined and targeted governance approaches. The Cyberspace Administration of China (CAC) released the China Personal Information Protection Report (2025) on June 12, 2026, providing a systematic review of the country’s data privacy progress over the past year.
A Landmark Document
The report, released at the critical juncture between the conclusion of the 14th Five-Year Plan (2021–2025) and the beginning of the 15th Five-Year Plan (2026–2030), serves as both a retrospective assessment and a forward-looking blueprint. According to the CAC’s official Q&A session, the document is structured across seven chapters covering achievements in top-level design, regulatory governance, social co-governance, public education, and international cooperation, with an appendix compiling relevant laws, national standards, and judicial cases.
From Principles to Precision
For years, China’s personal information protection framework faced what experts describe as a fundamental challenge: too many principle-based provisions and too few operational standards. Wang Limei, a professor at the China University of Political Science and Law’s Institute of Data Rule of Law, told Guangming Daily that “the implementation of the ‘last mile’ of the system has been a governance difficulty.”
The 2025 report signals a decisive move to close that gap. “Personal information protection is deepening from principle-based norms toward refined governance,” Wang Limei said, highlighting the shift toward detailed, actionable standards that can be effectively enforced.
Enforcement in Numbers
The report reveals the scale of China’s regulatory enforcement efforts in 2025. CAC and relevant departments cumulatively notified over 1,100 non-compliant apps and software development kits (SDKs), inspected more than 80,000 venues using facial recognition technology and over 140,000 offline consumption scenarios, and handled more than 8,300 instances of illegal collection and use of personal information.
A suite of key regulations took effect during the year, including the Regulations on Network Data Security Management, the Administrative Measures for Personal Information Protection Compliance Audits, and the Administrative Measures for the Safe Application of Facial Recognition Technology. China also released nine national standards for personal information protection in 2025, including two mandatory standards focused on electronic product information erasure and children’s smartwatch safety management.
Building a Social Co-Governance Framework
China’s approach to data privacy extends beyond government enforcement to what officials call “social co-governance” — a multi-stakeholder framework engaging industry associations, certification bodies, and the public. Du Aning, Deputy Secretary-General of the China Cyberspace Security Association, said that “China has built an all-round, multi-level, three-dimensional institutional guarantee network for personal information protection.”
By the end of 2025, 1,531 individuals had received personal information protection compliance audit capability assessment certificates. The National Network Identity Authentication Platform had been downloaded over 60 million times, providing 170 million authentication services. The China Cyberspace Security Association received over 15,000 public reports throughout the year.
The Public Awareness Challenge
Despite these institutional advances, a significant gap remains between regulatory frameworks and public awareness. Wang Zhicheng, Deputy Director of the CAC’s Data and Technology Support Center, noted that while the general public has high awareness of personal information protection, many remain confused about how to respond to violations. “Surveys show that 70% of the public, when facing personal information rights violations, cannot find the most effective channels for rights protection,” Wang Zhicheng said.
Wang described the report as a “textbook” for improving public understanding, providing detailed guidance on navigating high-risk scenarios such as online lending, job recruitment, and travel booking — including advice on refusing mandatory facial recognition and blanket authorization requests.
Implications for the 15th Five-Year Plan
The report’s release at the transition between China’s five-year planning cycles positions it as a foundational document for the country’s data governance strategy through 2030. Wang Limei noted that the framework “marks the sublimation of personal information protection from a single rights protection mechanism to a fundamental institutional arrangement for the orderly operation of digital society.”
As China enters the 15th Five-Year Plan period, experts expect the refined governance approach to adapt to emerging technologies such as artificial intelligence, autonomous driving, and the Internet of Things — areas that raise novel privacy challenges not fully addressed by existing regulations. Wang Zhicheng emphasized that “with the development of new technologies and applications like AI and autonomous driving, personal information protection continues to face new challenges, requiring the formulation of timely and evolving legal norms.”
What to Watch
Looking ahead, several key questions will shape China’s personal information protection landscape: How will the regulatory framework adapt to generative AI and other emerging technologies? What specific enforcement mechanisms will be introduced during the 15th Five-Year Plan period? And critically, how will authorities address the 70% public awareness gap to ensure citizens can effectively exercise their rights?
The report makes clear that China is moving beyond the foundational phase of data privacy legislation into an era of精细化 (refined) governance — one where the focus shifts from establishing rules to ensuring they work in practice.