DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ ENFORCEMENT

Enforcement tracker.

Public actions by Chinese data regulators — what gets named, by which agency, against which target, citing which rules. Updated as DCC ingests each new bulletin.

10 TRACKED ACTIONS
01 MIIT
01 SAMR
  • § 01 2026-05-28 SAMR

    Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine

    In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.

  • § 02 2026-05-28 MIIT

    MIIT Public-Naming Bulletin 2026 Batch 3 (Total Batch 56): 31 Apps and SDKs Cited for PI Violations and Window-Redirect Abuse

    MIIT's Information & Communications Administration Bureau published its 2026 Batch 3 public-naming bulletin (total Batch 56) on May 21, 2026, citing 31 apps and SDKs for violations of personal-information collection rules and window-redirect abuse. DCC frames this as the first entry in our enforcement tracker — explaining the joint CAC + MIIT + MPS 2026 Special Campaign that authorizes the batches, the four-statute legal architecture invoked, the rectification-then-enforcement pathway each named entity faces, the cadence of the bulletin series (roughly monthly, 56 batches since inception), and the operational picture this gives overseas counsel of which PI-protection violations actually attract enforcement in the Chinese mobile-app channel.

  • § 03 2026-04-22 Other

    When PIPL Violation Becomes a Crime — Hong Yanqing on China's Personal Information Criminal Threshold

    Hong Yanqing on the criminal-side analog to PIPL — when does mishandling personal information cross from administrative violation into the crime of 'infringing on citizens' personal information'? His critique: the two key elements ('relevant State provisions' and 'serious circumstances') are too loose, and courts have stretched them in ways that should worry compliance teams.

  • § 04 2026-04-04 Other

    When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework

    Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.

  • § 05 2026-01-08 Other

    Cross-Border Data Discovery — How the U.S., EU, and China Each Play Offense and Defense

    When a foreign authority wants data stored in China — or vice versa — three doctrines compete. The U.S. uses a 'data controller standard' (CLOUD Act) that reaches globally on offense and shields domestically through ECPA blocking on defense. The EU uses 'market access' leverage (GDPR Article 3 jurisdictional reach plus Article 48 blocking). China uses a 'data location standard' (territorial sovereignty plus the MLA Law, DSL, and PIPL blocking clauses). Wang Qinglan maps the four discovery paths, the three jurisdictional doctrines, and what compliance teams should build to survive the squeeze.

  • § 06 2025-12-19 Other

    Will Judicial Review 'Reset' the Data Registration Rush? — Reading Wang Qinglan on the SPC's New Data Disputes Case Category

    Wang Qinglan, head of compliance at a Chinese data exchange, asks what the Supreme People's Court's new 'data disputes' case category — effective January 1, 2026 — does to the data property rights registration certificates that institutions across the country have been issuing. Her argument: certificates issued through formal-only review will not survive substantive judicial scrutiny, and a single rejected certificate could erode trust in the entire registration regime. The path forward is a three-tiered protection model and aligned standards across regulators, registration institutions, and courts.

  • § 07 2025-12-15 Other

    PIPO vs. DPO — How China's Personal Information Protection Officer Differs from the GDPR Data Protection Officer

    The Cyberspace Administration of China announced in July 2025 that personal-information processors handling data on 1 million or more individuals must submit Personal Information Protection Officer (PIPO) information to CAC. Compliance Talker's global legal policy research team contrasts China's PIPO regime under PIPL Article 52 with the GDPR's Data Protection Officer (DPO) framework under Articles 37–39. The most consequential difference: PIPO carries individual administrative liability — up to RMB 1 million in personal fines and industry bans — where DPO does not.

  • § 08 2025-10-28 Other

    Reading the FRT Application Measures — What the 100k-Record Filing Threshold Actually Triggers

    The Administrative Measures for the Application Security of Facial Recognition Technology took effect June 1, 2025. The May 2025 announcement on FRT filing implementation followed. Compliance Talker's global legal policy team walks through the seven specific compliance obligations the Measures impose — the non-exclusive-use rule, end-side storage default, 100k-individual filing threshold, separate-consent reinforcement, PIA mandate, and more — with practical implementation guidance on each. For overseas firms with any China-facing FRT deployment, this is the operational walkthrough.

  • § 09 2024-09-19 Other

    What Does Data Registration Actually Confirm? — A Doctrinal Reading

    Long before the SPC's January 2026 'data disputes' case category started squeezing data registration certificates against judicial review, Wang Qinglan had already written the foundational critique: data registration does not 'confirm rights' because there are no legal data rights to confirm. The Data 20 Articles created data property rights, not data legal rights, and Chinese property rights are not Article-conferred civil rights. Registration certificates are 'trust credentials,' not 'rights certificates.' This is the doctrinal essay overseas counsel should read before the SPC sequel.

  • § 10 2024-04-11 Other

    Case Study — A Public-Data Operator Hands Personal Data to a Bank. Two Compliance Failures.

    A real-case analysis from Wang Qinglan. A state-affiliated auction company holds the public-data operating right for vehicle license-plate auction data. A bank persuades it to hand over the personal data of winning bidders. The bank builds a targeted credit product and pays the auction company RMB 12 million a year in revenue share. Two compliance failures: (1) no individual consent under PIPL; (2) no credit reference business license under the Credit Reference Industry Regulation and Credit Reference Business Measures. Public-data authorized operation does not displace the credit reference licensing regime.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.