DCC summary, not a translation. GB/T 45392-2025 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.
Scope
GB/T 45392-2025 specifies security requirements for automated decision-making that relies on personal information — that is, the use of personal information by computer programs to automatically analyze or assess individuals’ behavior, habits, interests or status and to make decisions. It applies to handlers that conduct such automated decision-making, and is a reference for regulators and assessors.
It is a recommended standard in the “Data Security Technology” (数据安全技术) series, sitting at the intersection of personal-information protection and the algorithm-governance regime.
Key contents
At a structural level the standard is expected to cover:
- General security requirements for automated decision-making based on personal information, applying PIPL’s transparency and fairness principles.
- Transparency and fairness of outcomes — requirements aimed at ensuring decision logic is appropriately disclosed and that results are reasonable and non-discriminatory.
- Prohibition on unreasonable differential treatment — controls against using automated decisions to apply unjustified differences in transaction price or terms to individuals (the “big-data price discrimination” concern).
- Personalized push and marketing — requirements to offer options not targeted to personal characteristics, or a convenient means to refuse.
- Individual rights — supporting the right to an explanation and the right to refuse decisions made solely through automated means where they significantly affect the individual.
- Risk assessment, security measures and governance for automated-decision systems.
Editor: verify specific clauses against the published standard.
How it fits the regime
GB/T 45392 operationalizes PIPL Article 24, which governs automated decision-making: it requires transparency and fair, reasonable outcomes; prohibits unreasonable differential treatment in transaction terms; requires that information push and commercial marketing using automated decision-making offer options not targeted to personal characteristics or an easy way to decline; and gives individuals the right to an explanation and to refuse decisions made solely by automated means where those decisions have a significant effect on their rights and interests. A PIPIA is required before automated decision-making under Article 55.
The standard supplies the security and implementation detail behind these duties, and dovetails with the Provisions on the Administration of Algorithmic Recommendation in Internet Information Services and the broader algorithm-governance framework. For overseas compliance teams running recommendation, pricing, scoring or profiling systems in China, it is the reference for designing those systems to meet both the personal-information and algorithm-governance expectations.