China Releases Draft Rules to Ease Data Compliance Burdens for Small Personal Information Processors
Published 10 April 2026
Xia Yu
On 3 April 2026, the Cyberspace Administration of China (“CAC”) released its draft Provisions on Simplified Measures for Personal Information Protection by Small Personal Information Processors (Draft for Comment) (“Draft Measures”), with a public comment period ending on 3 May 2026. The Draft Measures is a key supporting instrument implementing the mandate of Article 62 of the Personal Information Protection Law (“PIPL”) to “formulate special rules and standards for small personal information processors”. Its core objective is to reduce compliance costs for the vast number of micro, small and medium-sized enterprises while safeguarding personal information security.
Overview of the Draft Measures
Article 62 of the PIPL requires the national cyberspace administration to: “(1) formulate specific rules and standards for personal information protection; (2) formulate special rules and standards for small personal information processors, the processing of sensitive personal information, and new technologies and applications such as facial recognition and artificial intelligence; (3) support the research, development and promotion of secure and convenient electronic identity authentication technologies, and advance the construction of public services for network identity authentication; (4) promote the development of a socialized service system for personal information protection, and support relevant institutions in carrying out personal information protection assessment and certification services; and (5) improve the complaint and reporting mechanism for personal information protection.”
Pursuant to this authorization, the CAC drafted the Draft Measures to improve the personal information protection level of small personal information processors, reduce their compliance costs, and foster innovation and development of micro, small and medium-sized enterprises. The Draft Measures applies to the implementation of personal information protection by small personal information processors within the territory of China. A “small personal information processor” is defined as a personal information processor that processes the personal information of fewer than 100,000 individuals.
The Draft Measures contains 22 articles, focusing on general requirements for personal information protection, simplification of personal information processing rules, simplification of obligations for small personal information processors, and provisions on non‑penalty and lighter or mitigated penalties. The Draft Measures provides simplified measures across multiple dimensions, including: significant streamlining of personal information processing rules (Articles 4 and 5); exemption from notification obligations under specified conditions (Articles 6 and 8); extension of the compliance audit cycle for personal information protection to once every five years, using a self‑inspection form (Article 14); simplified impact assessment forms (Article 15); and simplified notification of security incidents, e.g., by posting public notices (Article 17). In addition, the Draft Measures includes provisions on non‑penalty and lighter or mitigated penalties (Articles 19 and 20), and encourages regions and departments to provide infrastructure, technical tools and advisory services to small personal information processors (Article 21).
Green Channel for Small Processors’ Data Exports
Article 11 of the Draft Measures establishes six scenarios in which small personal information processors are exempt from applying for data export security assessments, executing standard contracts, or obtaining certification for cross‑border transfers of personal information. This breakthrough arrangement has significant practical implications for industries such as cross‑border e‑commerce and cross‑border human resources management.
Paragraph 1 of Article 11 provides that where a small personal information processor transfers personal information overseas, it is exempt from applying for a data export security assessment, executing a standard contract for personal information export, and obtaining personal information protection certification if any of the following conditions is met:
1. The transfer is necessary for the conclusion or performance of a contract to which the individual is a party (e.g., cross‑border shopping, cross‑border delivery, cross‑border payment, cross‑border account opening, airline and hotel bookings, visa application, examination services). This subparagraph clarifies the exemption for cross‑border transaction scenarios, responding to practical issues in cross‑border e‑commerce, cross‑border tourism and online education. For example, a sole proprietor selling handicrafts on an e‑commerce platform may process fewer than 1,000 overseas customers’ personal information (name, address, payment information) per year. Under current rules, a standard contract would still be required. After the new rules take effect, as long as the processing is “necessary” to complete the cross‑border transaction, the data may be legally exported without any prior approval.
2. The transfer is necessary for cross‑border human resources management under labor rules or collective contracts formulated in accordance with law.
3. The transfer is necessary in an emergency to protect the life, health or property of a natural person.
4. The transfer is necessary for the performance of a statutory duty or obligation.
5. For a personal information processor other than a critical information infrastructure operator, the cumulative number of individuals whose personal information (excluding sensitive personal information) is provided overseas from 1 January of the current year is less than 100,000. This subparagraph aligns with the definition of “small personal information processor” (processing personal information of fewer than 100,000 individuals), linking the export exemption to the processor’s status. The cumulative calculation period begins on 1 January of each year and resets annually. Moreover, the phrase “excluding sensitive personal information” means that sensitive personal information provided overseas is not counted toward the 100,000 thresholds. Sensitive personal information remains subject to stricter management requirements (e.g., separate consent, impact assessment), but small processors do not lose the exemption simply because they export sensitive personal information. This design is consistent with the logic in the Personal Information Export Certification Measures [ https://www.cac.gov.cn/2025-10/17/c_1762449728720008.htm ] of “setting separate thresholds for general personal information and sensitive personal information”.
6. Other conditions stipulated by laws, administrative regulations or the national cyberspace administration.
Paragraph 2 of Article 11 clarifies that the above circumstances do not include important data. For the few small processors that still need to apply for a security assessment (for example, because they process sensitive personal information exceeding a specific threshold or involve important data), paragraph 3 provides a procedural simplification: the provincial‑level cyberspace administration shall assess the matter and submit its assessment conclusion and recommendation to the national cyberspace administration for approval. Compared with the current process under which all security assessments must be submitted to the national cyberspace administration, this adjustment will materially reduce waiting times and communication costs for small processors. Paragraph 4 encourages relevant departments and service centers to provide advisory services to small personal information processors for data exports.
The CAC’s Provisions on Promoting and Regulating Cross‑Border Data Flow, issued on 22 March 2024, already provided exemptions for certain low‑risk scenarios (e.g., cross‑border shopping, human resources management), but those exemptions applied only to “security assessments”, not to “standard contracts”. Article 11 of the Draft Measures goes further by exempting both standard contracts and certification, representing a higher level of simplification. After the formal rules take effect, the order of application between the old and new rules will need to be clarified.
China’s current cross‑border data transfer regulatory framework (security assessment, standard contract, certification) applies uniformly to all types of personal information processors, resulting in high compliance costs. For a small processor processing the personal information of fewer than 100,000 individuals, requiring substantial resources to complete a security assessment or engage professional counsel to draft a standard contract often leads to a situation where “compliance costs exceed the risk of non‑compliance”, which may actually discourage compliance. The breakthrough of Article 11 of the Draft Measures lies in linking the scale of the processor to the intensity of export regulation and directly exempting low‑risk export scenarios from all three procedures, reflecting a regulatory philosophy of “substance over form”.
Conclusion
The release of the Draft Measures marks a substantive step in China’s personal information protection regulation from a “one‑size‑fits‑all” approach to a “tiered and classified” approach. For small personal information processors, compliance burdens will be significantly reduced. For the data factor market as a whole, this institutional arrangement will help unlock the innovative vitality of micro, small and medium-sized enterprises.
Overview of the Draft Measures
Article 62 of the PIPL requires the national cyberspace administration to: “(1) formulate specific rules and standards for personal information protection; (2) formulate special rules and standards for small personal information processors, the processing of sensitive personal information, and new technologies and applications such as facial recognition and artificial intelligence; (3) support the research, development and promotion of secure and convenient electronic identity authentication technologies, and advance the construction of public services for network identity authentication; (4) promote the development of a socialized service system for personal information protection, and support relevant institutions in carrying out personal information protection assessment and certification services; and (5) improve the complaint and reporting mechanism for personal information protection.”
Pursuant to this authorization, the CAC drafted the Draft Measures to improve the personal information protection level of small personal information processors, reduce their compliance costs, and foster innovation and development of micro, small and medium-sized enterprises. The Draft Measures applies to the implementation of personal information protection by small personal information processors within the territory of China. A “small personal information processor” is defined as a personal information processor that processes the personal information of fewer than 100,000 individuals.
The Draft Measures contains 22 articles, focusing on general requirements for personal information protection, simplification of personal information processing rules, simplification of obligations for small personal information processors, and provisions on non‑penalty and lighter or mitigated penalties. The Draft Measures provides simplified measures across multiple dimensions, including: significant streamlining of personal information processing rules (Articles 4 and 5); exemption from notification obligations under specified conditions (Articles 6 and 8); extension of the compliance audit cycle for personal information protection to once every five years, using a self‑inspection form (Article 14); simplified impact assessment forms (Article 15); and simplified notification of security incidents, e.g., by posting public notices (Article 17). In addition, the Draft Measures includes provisions on non‑penalty and lighter or mitigated penalties (Articles 19 and 20), and encourages regions and departments to provide infrastructure, technical tools and advisory services to small personal information processors (Article 21).
Green Channel for Small Processors’ Data Exports
Article 11 of the Draft Measures establishes six scenarios in which small personal information processors are exempt from applying for data export security assessments, executing standard contracts, or obtaining certification for cross‑border transfers of personal information. This breakthrough arrangement has significant practical implications for industries such as cross‑border e‑commerce and cross‑border human resources management.
Paragraph 1 of Article 11 provides that where a small personal information processor transfers personal information overseas, it is exempt from applying for a data export security assessment, executing a standard contract for personal information export, and obtaining personal information protection certification if any of the following conditions is met:
1. The transfer is necessary for the conclusion or performance of a contract to which the individual is a party (e.g., cross‑border shopping, cross‑border delivery, cross‑border payment, cross‑border account opening, airline and hotel bookings, visa application, examination services). This subparagraph clarifies the exemption for cross‑border transaction scenarios, responding to practical issues in cross‑border e‑commerce, cross‑border tourism and online education. For example, a sole proprietor selling handicrafts on an e‑commerce platform may process fewer than 1,000 overseas customers’ personal information (name, address, payment information) per year. Under current rules, a standard contract would still be required. After the new rules take effect, as long as the processing is “necessary” to complete the cross‑border transaction, the data may be legally exported without any prior approval.
2. The transfer is necessary for cross‑border human resources management under labor rules or collective contracts formulated in accordance with law.
3. The transfer is necessary in an emergency to protect the life, health or property of a natural person.
4. The transfer is necessary for the performance of a statutory duty or obligation.
5. For a personal information processor other than a critical information infrastructure operator, the cumulative number of individuals whose personal information (excluding sensitive personal information) is provided overseas from 1 January of the current year is less than 100,000. This subparagraph aligns with the definition of “small personal information processor” (processing personal information of fewer than 100,000 individuals), linking the export exemption to the processor’s status. The cumulative calculation period begins on 1 January of each year and resets annually. Moreover, the phrase “excluding sensitive personal information” means that sensitive personal information provided overseas is not counted toward the 100,000 thresholds. Sensitive personal information remains subject to stricter management requirements (e.g., separate consent, impact assessment), but small processors do not lose the exemption simply because they export sensitive personal information. This design is consistent with the logic in the Personal Information Export Certification Measures [ https://www.cac.gov.cn/2025-10/17/c_1762449728720008.htm ] of “setting separate thresholds for general personal information and sensitive personal information”.
6. Other conditions stipulated by laws, administrative regulations or the national cyberspace administration.
Paragraph 2 of Article 11 clarifies that the above circumstances do not include important data. For the few small processors that still need to apply for a security assessment (for example, because they process sensitive personal information exceeding a specific threshold or involve important data), paragraph 3 provides a procedural simplification: the provincial‑level cyberspace administration shall assess the matter and submit its assessment conclusion and recommendation to the national cyberspace administration for approval. Compared with the current process under which all security assessments must be submitted to the national cyberspace administration, this adjustment will materially reduce waiting times and communication costs for small processors. Paragraph 4 encourages relevant departments and service centers to provide advisory services to small personal information processors for data exports.
The CAC’s Provisions on Promoting and Regulating Cross‑Border Data Flow, issued on 22 March 2024, already provided exemptions for certain low‑risk scenarios (e.g., cross‑border shopping, human resources management), but those exemptions applied only to “security assessments”, not to “standard contracts”. Article 11 of the Draft Measures goes further by exempting both standard contracts and certification, representing a higher level of simplification. After the formal rules take effect, the order of application between the old and new rules will need to be clarified.
China’s current cross‑border data transfer regulatory framework (security assessment, standard contract, certification) applies uniformly to all types of personal information processors, resulting in high compliance costs. For a small processor processing the personal information of fewer than 100,000 individuals, requiring substantial resources to complete a security assessment or engage professional counsel to draft a standard contract often leads to a situation where “compliance costs exceed the risk of non‑compliance”, which may actually discourage compliance. The breakthrough of Article 11 of the Draft Measures lies in linking the scale of the processor to the intensity of export regulation and directly exempting low‑risk export scenarios from all three procedures, reflecting a regulatory philosophy of “substance over form”.
Conclusion
The release of the Draft Measures marks a substantive step in China’s personal information protection regulation from a “one‑size‑fits‑all” approach to a “tiered and classified” approach. For small personal information processors, compliance burdens will be significantly reduced. For the data factor market as a whole, this institutional arrangement will help unlock the innovative vitality of micro, small and medium-sized enterprises.