Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
I'm excited about the upcoming IAPP Europe Data Protection Congress next week in Brussels. It's always a fantastic opportunity to exchange ideas and insights with professionals in artificial intelligence, privacy and cybersecurity from around the world — and, of course, to indulge in some mouth-watering Belgian chocolates. I'm looking forward to catching up with old friends and meeting new ones.
Meanwhile, in Asia, the regulatory landscape for privacy, cybersecurity and AI continues to evolve rapidly. In China, the most significant recent development in the past few weeks is the approval of new amendments to the Cybersecurity Law, which take effect 1 Jan. 2026.
These amendments introduce dedicated provisions on AI, stating the government will strengthen AI ethics regulation and enhance AI risk assessment and governance, while also supporting innovation and promoting the development of training data resources. Although China has already implemented rules on algorithms, deepfake technology, generative AI and AI labeling, this marks the first time AI governance has been elevated to the level of national law.
The CSL amendments also emphasize the importance of supply chain cybersecurity. Both purchasers and suppliers/vendors of key network equipment and specialized cybersecurity products now have direct legal obligations to ensure compliance. All such equipment and products will be subject to mandatory safety certification and testing.
In addition, the scope of the CSL's extraterritorial application has been expanded. The law will now cover a wider range of cyberattacks and other illegal activities conducted by foreign entities or individuals located outside China.
One of the most striking changes is the 10-fold increase in legal liabilities for noncompliance with data protection and cybersecurity obligations. Monetary fines can now reach up to RMB10 million — approximately USD1.4 million — while individuals in charge of cybersecurity may face personal fines of up to RMB1 million — approximately USD140,000).
Together with the Data Security Law and the Personal Information Protection Law, the CSL forms the cornerstone of China's data and cybersecurity regulatory framework. The upcoming amendments will have far-reaching implications for businesses across all sectors, introducing new compliance obligations and significantly higher penalties, raising both the cost and risk of noncompliance. With less than two months before the amendments take effect from the first day of 2026, business organizations should assess the changes, review their cybersecurity frameworks, and take swift compliance actions.
On the AI front, China's national health care regulators released new policies 4 Nov. to promote and regulate the use of AI in the health care sector. While reinforcing privacy protection and data security, these policies encourage medical data sharing and promote efficient and orderly flow of data, enabling the exploration of data assets. They also include measures to foster innovation in medical large language models and to strengthen AI computing power and algorithmic development.
Regulators in Beijing and Shanghai continue to lead in conducting compliance investigations. On 3 Nov., Beijing's telecommunications regulator, the Ministry of Industry and Information Technology, published a blacklist of noncompliant mobile apps that collected personal data beyond necessity or failed to inform users of the purpose, method and scope of data collection. On the same day, Shanghai's telecom regulator, the Shanghai Communications Administration, issued a circular removing several non-compliant apps from app stores after they failed to rectify issues identified in prior regulatory notices.
Moving down to Hong Kong, the Office of the Privacy Commissioner for Personal Data released its annual report 22 Oct., highlighting key focus areas such as AI governance, data security, doxxing prevention, and cross-border data transfers within the Greater Bay Area — Hong Kong, Macau and nine cities in Guangdong Province. Between 2024 and 2025, the PCPD conducted over 130 investigations, including more than 80 criminal cases.
The privacy, cybersecurity and AI space in the greater China continues to evolve with lots of dynamics. Stay tuned for further developments.
Barbara Li, CIPP/E, is a partner at Reed Smith.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
