Notes from the Asia-Pacific region: China’s proposed privacy standard update targets AI, sensitive data

A proposed update to China's national personal information standard would strengthen compliance expectations for AI, expand the scope of sensitive personal information, address legislative privacy conflicts in international operations, and more.

Contributors:
Barbara Li
CIPP/E
Partner
Reed Smith
Editor's note
The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
The data privacy space in China has been particularly active over recent weeks.
On 17 June, China's National Information Security Standardisation Technical Committee, known as TC260, released a proposed draft to amend the national personal information standard, the Information Security Technology — Personal Information Security Specification, with a view to revamping the current version adopted in 2020. A consultation period ends 16 Aug.
The new draft proposes significant changes, including the introduction of comprehensive and enhanced compliance requirements for artificial intelligence scenarios. Companies must obtain explicit consent from data subjects when deploying deep synthesis technologies involving biometric information. Additionally, they must adhere to restrictions on user profiling, automated decision-making, application programming interface integration with large language models, and autonomous AI applications.
Under the draft, the scope of sensitive personal information expands. While traditional categories such as biometric data, religious beliefs, financial and health data, precise geolocational information and children's information under age 14 remain within the scope, multiple categories of ordinary personal information may cross the threshold into sensitive personal information.
In terms of legal basis for personal data collection, the new standard aligns more closely with the EU General Data Protection Regulation. Businesses are required to maintain clear records to verify, track and demonstrate compliance with the relevant legal basis. The revised standard provides practical guidance and examples for selecting appropriate legal basis across different scenarios, while strengthening privacy notification and consent requirements.
A new chapter is proposed to address privacy law conflicts in international operations. Companies are expected to establish mechanisms to identify potential conflicts between jurisdictions, develop compliance protocols, assign dedicated internal teams, adopt the required legal regime such as standard contractual clauses for cross-border data transfers, and follow best practices to mitigate risks.
The proposed draft emphasizes stronger accountability across the entire supply chain. Companies are advised to implement robust procedures for onboarding, assessing and auditing suppliers, vendors, software development kit providers and other third-party partners. Notably, they remain liable for data breaches caused by those third parties.
Given that China's Personal Information Protection Law contains high-level provisions in many clauses, the national standard plays a critical role in practice. It clarifies implementation details for PIPL compliance, serving as a widely accepted reference for businesses and even Chinese regulators when designing compliance frameworks and measures.
Once finalized, the new standard will have significant implications for China's data-driven economy.
On the enforcement front, Chinese regulators continue their investigations. In June, joint operations by provincial agencies of the Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security have removed or suspended numerous apps and mini-programs for PIPL violations, imposing hefty fines on offenders.
Looking south to Hong Kong, 2026 marks the 30th anniversary of the Office of the Privacy Commissioner for Personal Data. I was honored to attend the summit celebrating this milestone and witness the launch of the Hong Kong International Data Privacy Academy, which aims to position Hong Kong as a hub for nurturing high-caliber privacy talents.
Finally, the IAPP Asia Forum 2026, one of the most influential data, AI and cybersecurity events in the APAC region, is approaching. I look forward to learning from industry experts and thought leaders shaping regional and global trends and am very excited to reconnect with many familiar faces and meet new ones.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEs


