China Releases Draft Rules on Personal Information Protection for Large Online Platforms
Published 3 December 2025
Sarah Xuan
On 22 November 2025, the Cyberspace Administration of China (“CAC”) published the Provisions on Personal Information Protection for Large Online Platforms (Draft for Comment)(“Draft Provisions”), jointly drafted with the Ministry of Public Security, to regulate the personal information processing activities of large online platforms established or operated within China. It is expected to include domestic entities such as Tencent, ByteDance, Pinduoduo, and Alibaba, as well as overseas platforms operating in China such as LinkedIn, Amazon China, and Apple’s App Store in China. According to the Draft Provisions, online platforms meeting criteria such as having a massive user base (exceeding 50 million registered users or 10 million monthly active users), operating complex business types (providing critical network services or managing multiple lines of business), or possessing and processing data affecting national security shall be designated as “large online platforms” by the CAC and the Ministry of Public Security, and subsequently made public. Comprising 24 articles, the Draft Provisions primarily establishes obligations concerning personal information protection and data security for network data processors providing services through large online platforms (“Large Online Platform Service Providers”).
Regarding personal information protection, the Draft Provisions first require Large Online Platform Service Providers to designate a Personal Information Protection Officer from among their senior management personnel. This officer must hold Chinese nationality, possess no permanent residency or long-term residence permit abroad, have professional knowledge of personal information protection, and possess over five years of relevant work experience. The Personal Information Protection Officer is primarily responsible for guiding the platform’s personal information processing activities; participating in relevant decision-making with veto power over personal information processing matters; taking immediate action upon discovery of significant security risks or non-compliant/illegal situations; and organizing the formulation of specific rules for processing minors’ personal information. The Draft Provisions specifically note that the Personal Information Protection Officer may report directly to authorities such as the CAC. This provision is presumably applicable only in exceptionally urgent circumstances, given that the Personal Information Protection Officer remains a member of the platform’s senior management and is consequently subject to its internal governance regulations.
Secondly, the Draft Provisions require Large Online Platform Service Providers to establish a dedicated Personal Information Protection Department, which may be established as a separate entity or its functions may be concurrently performed by an existing department. Operating under the leadership of the Personal Information Protection Officer, this department is responsible for implementing specific personal information protection tasks. These include formulating and enforcing internal relevant policies and systems, organizing activities such as security risk monitoring, risk assessment, and compliance audits, promptly addressing personal information security risks and incidents, designating specific personnel to oversee the protection of minors’ personal information, handling related complaints and reports, and annually preparing and publishing a Personal Information Protection Social Responsibility Report for the platform.
Thirdly, the Draft Provisions further enhance requirements for personal information protection compliance audits across three key areas. Firstly, they encourage Large Online Platform Service Providers to engage accredited third-party professional organizations to conduct activities such as personal information protection compliance audits and risk assessments. The registered office of any such engaged third-party professional organization must be located within China. Secondly, in cases involving significant security risks or non-compliant/illegal activities, the third-party professional organization may report directly to authorities such as the CAC. Furthermore, compared to the Measures for the Administration of Personal Information Protection Compliance Audits, the Draft Provisions add a mandatory audit trigger for scenarios involving “multiple instances of non-compliant/illegal activities such as unauthorized cross-border transfer of personal information”. This reflects, from another perspective, China’s stringent regulatory stance on the cross-border transfer of personal information.
Fourthly, the Draft Provisions stipulate for the first time requirements concerning the right to data portability. Article 45 (3) of the Personal Information Protection Law provides that “where an individual requests the transfer of his/her personal information to a designated personal information processor, the personal information processor shall provide a means of transfer if the conditions specified by the national cyberspace authority are met”. The Draft Provisions require Large Online Platform Service Providers to provide convenient methods and channels for individuals to exercise their rights, such as accessing, copying, correcting, supplementing, deleting, restricting the processing of their personal information, or closing accounts and withdrawing consent. Upon receiving such a request, the Large Online Platform Service Provider shall, within 30 working days, transfer the personal information in a common, machine-readable format and notify the individual of the outcome. This period may be extended by a further 30 working days if necessary. Necessary fees may be charged in cases involving repeated requests for personal information transfer. The Draft Provisions endorse the provision of transfer channels through application programming interfaces or other standardized technical means, and mandate measures such as identity verification and encrypted transmission to ensure the security of personal information transfers.
Regarding data security, the Draft Provisions require Large Online Platform Service Providers to store personal information collected and generated within China during their operations within data centers located within China. Such data centers must be established in China, with their principal responsible persons holding Chinese nationality and possessing no permanent residency or long-term residence permit abroad, and their security must comply with relevant national standards. These data centers are primarily responsible for assisting Large Online Platform Service Providers in formulating internal personal information management systems and operational procedures; promptly implementing remedial measures upon discovering risks such as security flaws or vulnerabilities; notifying relevant parties of personal information security incidents and immediately activating emergency response plans; and promptly executing requirements issued by authorities such as the CAC and the Ministry of Public Security. The Draft Provisions stipulate that when a Large Online Platform Service Provider engages a third-party data center to store personal information, a contract must be concluded specifying details such as storage location, scale, and categories, and clearly defining the fulfillment of the aforementioned obligations as well as additional duties to accept supervision, provide facilitative measures, and assist in security management. For cases where it is genuinely necessary to provide personal information overseas, the Draft Provisions require Large Online Platform Service Providers to strictly comply with relevant national regulations on data export security management, improve technical and administrative measures related to personal information export security, and promptly prevent and address security risks and threats arising from non-compliant or illegal cross-border transfers of personal information.
The Draft Provisions clarify that Large Online Platform Service Providers bear primary responsibility for the security of the personal information they process. These providers are required to report basic information concerning their Personal Information Protection Officer, Personal Information Protection Department, and data centers to the CAC. In addition to the CAC, the Ministry of Public Security is also a competent supervisory authority for Large Online Platform Service Providers. On 29 November 2025, the Ministry of Public Security published the Measures for the Supervision and Inspection of Cyberspace Security by Public Security Organs (Draft for Comment), which grants public security authorities oversight and inspection powers in the areas of cybersecurity, data security, and information security. According to the Draft Provisions, Large Online Platform Service Providers constitute one of the entities subject to supervision by public security authorities.
Regarding personal information protection, the Draft Provisions first require Large Online Platform Service Providers to designate a Personal Information Protection Officer from among their senior management personnel. This officer must hold Chinese nationality, possess no permanent residency or long-term residence permit abroad, have professional knowledge of personal information protection, and possess over five years of relevant work experience. The Personal Information Protection Officer is primarily responsible for guiding the platform’s personal information processing activities; participating in relevant decision-making with veto power over personal information processing matters; taking immediate action upon discovery of significant security risks or non-compliant/illegal situations; and organizing the formulation of specific rules for processing minors’ personal information. The Draft Provisions specifically note that the Personal Information Protection Officer may report directly to authorities such as the CAC. This provision is presumably applicable only in exceptionally urgent circumstances, given that the Personal Information Protection Officer remains a member of the platform’s senior management and is consequently subject to its internal governance regulations.
Secondly, the Draft Provisions require Large Online Platform Service Providers to establish a dedicated Personal Information Protection Department, which may be established as a separate entity or its functions may be concurrently performed by an existing department. Operating under the leadership of the Personal Information Protection Officer, this department is responsible for implementing specific personal information protection tasks. These include formulating and enforcing internal relevant policies and systems, organizing activities such as security risk monitoring, risk assessment, and compliance audits, promptly addressing personal information security risks and incidents, designating specific personnel to oversee the protection of minors’ personal information, handling related complaints and reports, and annually preparing and publishing a Personal Information Protection Social Responsibility Report for the platform.
Thirdly, the Draft Provisions further enhance requirements for personal information protection compliance audits across three key areas. Firstly, they encourage Large Online Platform Service Providers to engage accredited third-party professional organizations to conduct activities such as personal information protection compliance audits and risk assessments. The registered office of any such engaged third-party professional organization must be located within China. Secondly, in cases involving significant security risks or non-compliant/illegal activities, the third-party professional organization may report directly to authorities such as the CAC. Furthermore, compared to the Measures for the Administration of Personal Information Protection Compliance Audits, the Draft Provisions add a mandatory audit trigger for scenarios involving “multiple instances of non-compliant/illegal activities such as unauthorized cross-border transfer of personal information”. This reflects, from another perspective, China’s stringent regulatory stance on the cross-border transfer of personal information.
Fourthly, the Draft Provisions stipulate for the first time requirements concerning the right to data portability. Article 45 (3) of the Personal Information Protection Law provides that “where an individual requests the transfer of his/her personal information to a designated personal information processor, the personal information processor shall provide a means of transfer if the conditions specified by the national cyberspace authority are met”. The Draft Provisions require Large Online Platform Service Providers to provide convenient methods and channels for individuals to exercise their rights, such as accessing, copying, correcting, supplementing, deleting, restricting the processing of their personal information, or closing accounts and withdrawing consent. Upon receiving such a request, the Large Online Platform Service Provider shall, within 30 working days, transfer the personal information in a common, machine-readable format and notify the individual of the outcome. This period may be extended by a further 30 working days if necessary. Necessary fees may be charged in cases involving repeated requests for personal information transfer. The Draft Provisions endorse the provision of transfer channels through application programming interfaces or other standardized technical means, and mandate measures such as identity verification and encrypted transmission to ensure the security of personal information transfers.
Regarding data security, the Draft Provisions require Large Online Platform Service Providers to store personal information collected and generated within China during their operations within data centers located within China. Such data centers must be established in China, with their principal responsible persons holding Chinese nationality and possessing no permanent residency or long-term residence permit abroad, and their security must comply with relevant national standards. These data centers are primarily responsible for assisting Large Online Platform Service Providers in formulating internal personal information management systems and operational procedures; promptly implementing remedial measures upon discovering risks such as security flaws or vulnerabilities; notifying relevant parties of personal information security incidents and immediately activating emergency response plans; and promptly executing requirements issued by authorities such as the CAC and the Ministry of Public Security. The Draft Provisions stipulate that when a Large Online Platform Service Provider engages a third-party data center to store personal information, a contract must be concluded specifying details such as storage location, scale, and categories, and clearly defining the fulfillment of the aforementioned obligations as well as additional duties to accept supervision, provide facilitative measures, and assist in security management. For cases where it is genuinely necessary to provide personal information overseas, the Draft Provisions require Large Online Platform Service Providers to strictly comply with relevant national regulations on data export security management, improve technical and administrative measures related to personal information export security, and promptly prevent and address security risks and threats arising from non-compliant or illegal cross-border transfers of personal information.
The Draft Provisions clarify that Large Online Platform Service Providers bear primary responsibility for the security of the personal information they process. These providers are required to report basic information concerning their Personal Information Protection Officer, Personal Information Protection Department, and data centers to the CAC. In addition to the CAC, the Ministry of Public Security is also a competent supervisory authority for Large Online Platform Service Providers. On 29 November 2025, the Ministry of Public Security published the Measures for the Supervision and Inspection of Cyberspace Security by Public Security Organs (Draft for Comment), which grants public security authorities oversight and inspection powers in the areas of cybersecurity, data security, and information security. According to the Draft Provisions, Large Online Platform Service Providers constitute one of the entities subject to supervision by public security authorities.