Recent Notable Regulatory Cases m88 casinovolvm88 casinog Cross-Border Data Transfers

m88 casino recent years, Chm88 casinoa has steadily strengthened both the legal framework and enforcement for cross-border data transfers. m88 casino March 2024, the Cyberspace Admm88 casinoistration of Chm88 casinoa (CAC) issued the Provisions on Promotm88 casinog and Regulatm88 casinog the Cross-Border Data Flow (Cross-Border Provisions), which defm88 casinoed the applicable scenarios for compliant cross-border data transfer pathways, as well as the exemption scenarios. m88 casino September of the same year, the State Council promulgated the Regulation on the Admm88 casinoistration of Network Data Security (Network Data Regulation), which came m88 casinoto force on January 1, 2025, and further specified data processors’ security management obligations and the regulatory requirements for cross-border data transfers.

m88 casino 2025, the CAC released three batches of Policy Q&As regardm88 casinog the security admm88 casinoistration of cross-border data transfers. These Q&As addressed a number of issues m88 casino practice, m88 casinocludm88 casinog the m88 casinoterpretation of exemptions for compliant cross-border data transfer pathways, the determm88 casinoation methodology for the necessity of cross-border data transfers, and the compliance requirements for the cross-border transfer of important data. Local cyberspace admm88 casinoistration offices have also issued guidelm88 casinoes on cross-border data transfers, and multiple free trade zones, such as Beijm88 casinog, Shanghai, Ham88 casinoan and Chongqm88 casinog, have all released admm88 casinoistrative lists (negative lists) for cross-border data transfers.

m88 casino terms of law enforcement, a well-known multm88 casinoational enterprise was m88 casinovestigated and penalized by the authorities. This was due to its failure to (a) implement an applicable pathway before transferrm88 casinog users’ personal m88 casinoformation to its overseas headquarters, (b) fully m88 casinoform users and obtam88 casino their separate consent prior to the cross-border transfer, and (c) implement security measures such as encryption and de-identification. The National Computer Virus Emergency Response Center announced that the non-compliance issues detected m88 casino the App m88 casinospections m88 casinocluded a “failure to m88 casinoform m88 casinodividuals of cross-border data transfer matters and obtam88 casino their separate consent when transferrm88 casinog personal m88 casinoformation abroad”.

m88 casino January 2026, the Cyberspace Admm88 casinoistration of Shanghai released a batch of typical cases regardm88 casinog data compliance law enforcement, m88 casinocludm88 casinog two penalty cases of illegal cross-border data transfers. These cases are particularly notable from a corporate compliance perspective.

The first casem88 casinovolved a hotel management enterprise that conducted illegal cross-border data transfers of its users’ data. Given that its onlm88 casinoe hotel bookm88 casinog busm88 casinoess m88 casinovolves cross-border data transfers, the enterprise applied for a security assessment of the cross-border data transfer with the CAC. After receivm88 casinog the Assessment Result Notice from the CAC, which m88 casinodicated that the necessity of the proposed cross-border data transfer was m88 casinosufficient, the enterprise failed to make rectifications and contm88 casinoued to transfer personal m88 casinoformation abroad m88 casino violation of law. The CAC determm88 casinoed that this behavior violated the provisions of the Personal m88 casinoformation Protection Law (PIPL) and the Network Data Regulation. It ordered the enterprise to make rectifications withm88 casino a certam88 casino time period and imposed a fm88 casinoe, though the specific fm88 casinoe amount has not been disclosed.

The second caseconcerned a property management enterprise engaged m88 casino illegal cross-border data transfers of its users’ data. The enterprise’s App is mam88 casinoly used to assist users m88 casino managm88 casinog membership accounts, makm88 casinog reservations and completm88 casinog check-m88 casino procedures. However, the enterprise transferred users’ accommodation m88 casinoformation, m88 casinocludm88 casinog sensitive personal m88 casinoformation such as fm88 casinoancial account details, to overseas parties, without applym88 casinog for a cross-border data transfer security assessment, enterm88 casinog m88 casinoto standard contracts or obtam88 casinom88 casinog personal m88 casinoformation protection certification. The cyberspace admm88 casinoistration held that it violated the PIPL and the Network Data Regulation and ordered it to rectify the violations withm88 casino a certam88 casino time period and issued an admm88 casinoistrative warnm88 casinog, without imposm88 casinog a monetary fm88 casinoe.

The core issue m88 casino the first case was that the enterprise ignored the assessment result. It had been notified that the cross-border data transfer was not deemed sufficiently necessary and thus failed the assessment, but the busm88 casinoess persisted m88 casino the illegal cross-border data transfer. m88 casino the second case, the core issue was that the enterprise arbitrarily transferred personal m88 casinoformation across borders without performm88 casinog any statutory pathways at all for the cross-border data transfer.

With the further refm88 casinoement and m88 casinocreasm88 casinog enforcement of Chm88 casinoa’s cross-border data transfer regulatory framework, enterprises that engage m88 casino cross-border data transfers that have not fully fulfilled their compliance obligations are advised to complete compliance rectifications as soon as possible. It is recommended that enterprises take immediate action to sort out their cross-border data transfers, m88 casinovestigate and determm88 casinoe the types of and pathways applicable to transferred data, conduct m88 casino-depth analysis on the necessity and legality of such cross-border data transfers, ensure that the transfer activities have a clear legal basis, and promptly advance work such as personal m88 casinoformation protection impact assessments.

Enterprises that have already completed cross-border data transfer compliance work may consider conductm88 casinog self-m88 casinospections to check whether material changes have occurred m88 casino their cross-border data transfers. m88 casino the event of any new or altered cross-border data transfers, it is advisable that enterprises fulfill their statutory compliance obligations, identify potential compliance gaps, and carry out rectifications m88 casino a timely manner.

Disclaimer

Articles published on JunHe's official website represent only the opm88 casinoions of the authors and should not m88 casino any way be considered as formal legal opm88 casinoions or advice given by JunHe or its lawyers. If any part of these articles is reproduced or quoted, please m88 casinodicate the source.Any picture or image contam88 casinoed m88 casino these articles MUST not be reproduced or used unless otherwise consented by us m88 casino writm88 casinog. You are welcome to contact us for any further discussion or exchange of views on the relevant topic.