Notes from the Asia-Pacific region: China’s proposed privacy standard update targets AI, sensitive data

Notes from the Asia-Pacific region: China’s proposed privacy standard update targets AI, sensitive data

Notes from the Asia-Pacific region: China’s proposed privacy standard update targets AI, sensitive data

https://iapp.org/news/a/notes-from-the-asia-pacific-region-china-s-proposed-privacy-standard-update-targets-ai-sensitive-data

Publish Date: 2026-07-02 09:35:00

Source Domain: iapp.org

The data privacy space in China has been particularly active over recent weeks.

On 17 June, China’s National Information Security Standardisation Technical Committee, known as TC260, released a proposed draft to amend the national personal information standard, the Information Security Technology — Personal Information Security Specification, with a view to revamping the current version adopted in 2020. A consultation period ends 16 Aug. 

The new draft proposes significant changes, including the introduction of comprehensive and enhanced compliance requirements for artificial intelligence scenarios. Companies must obtain explicit consent from data subjects when deploying deep synthesis technologies involving biometric information. Additionally, they must adhere to restrictions on user profiling, automated decision-making, application programming interface integration with large language models, and autonomous AI applications.

Under the draft, the scope of sensitive personal information expands. While traditional categories such as biometric data, religious beliefs, financial and health data, precise geolocational information and children’s information under age 14 remain within the scope, multiple categories of ordinary personal information may cross the threshold into sensitive personal information.

In terms of legal basis for personal data collection, the new standard aligns more closely with the EU General Data Protection Regulation. Businesses are required to maintain clear records to verify, track and demonstrate compliance with the relevant legal basis. The revised standard provides practical guidance and examples for selecting appropriate legal basis across different scenarios, while strengthening privacy notification and consent requirements.

A new chapter is proposed to address privacy law conflicts in international operations. Companies are expected to establish mechanisms to identify potential conflicts between jurisdictions, develop compliance…

Source