In a push to strengthen data privacy on China’s major digital platforms, the National Internet Information Office (CAC) and the Ministry of Public Security have released a draft set of regulations. Titled “Regulations on Personal Information Protection of Large-Scale Online Platforms (Draft for Comment),” this update builds directly on the Personal Information Protection Law (PIPL). It focuses on protecting users while keeping the platform economy growing steadily. The draft came out earlier this week, and comments are open until December 22, 2025—giving everyone a chance to weigh in.
For companies doing business in China or partnering with Chinese firms, these rules are more than just paperwork. They’re a practical guide to better data handling under increasing oversight. Here at Captain Compliance, we’ll walk through the key points, with tips on what to do next to keep things smooth.
Who Counts as a Large-Scale Platform?
The draft starts by spelling out what makes an online platform “large-scale.” The CAC, working with public security and other groups, will keep an up-to-date list based on a few main factors:
- Big user numbers: More than 50 million registered users or 10 million monthly active ones.
- Broad services: Platforms that cover key online areas or multiple types of business.
- High risks: Where a data issue could hit national security, the economy, or public safety.
- Other considerations set by regulators.
This list won’t stay static—it’ll evolve to match new risks, from shopping sites to social apps.
Stepping Up Accountability with a Dedicated Leader
Responsibility is front and center. Every platform needs to name a personal information protection officer (PIPO) from the top ranks. This person should be a Chinese national without foreign permanent residency and have at least five years in data privacy work. The role might double up with the chief data security officer.
The PIPO gets real authority:
- Guiding day-to-day data practices and blocking unsafe moves.
- Watching for issues, alerting regulators, and passing serious cases to law enforcement.
- Creating special rules for handling kids’ data.
Platforms also build out a protection team for audits, complaints, and more, plus an yearly report on social responsibilities. If roles change, notify the CAC within 20 working days.
Quick advice: Give your PIPO the tools and backing they need—it’s like having a built-in early warning system.
Storing Data Close to Home and Tight Border Rules
Following PIPL’s lead, all data collected in China stays there. Sending it abroad requires tough security checks.
Data storage centers have their own standards:
- Located in China, led by a Chinese national (no foreign residency).
- Meeting national security levels.
For outside providers, contracts must include quick breach alerts and help with reports. Platforms share details on these centers—including contract updates—with authorities within 10 days.
For your team: Check your data partners today. Getting caught off-guard could mean scrambling to switch setups.
Making It Easy for Users to Take Control
Users get clearer paths to their PIPL rights, like checking, fixing, deleting, or moving their data. Platforms respond in 30 working days (with one possible extension for valid reasons), using safe, easy-to-use formats.
If requests pile up, fair fees can cover the effort. It’s a fair trade between user freedom and running a business.
Checks and Balances: Internal Reviews to Official Scrutiny
Platforms are pushed to do their own regular checks and risk scans, best done by independent experts certified in China. These pros can flag problems straight to regulators if needed.
Regulators step in harder for repeat offenders, big breaches (like over 1 million user records), or widespread harm—triggering required outside audits. Full access to records is expected, and in bad spots, storage might get handed off.
Room for Growth and Working with the World
It’s not all restrictions—there’s support for smart tools like national ID checks, data tagging, and privacy certifications. Platforms are encouraged to push boundaries, align with global standards, and build international data-sharing deals.
Backing It Up: Reports, Enforcement, and Speaking Up
Violations can be reported by anyone to the right agencies, with a response due in 15 days. Officials share notes for joint action, penalties ranging from fines to jail time. People dealing with sensitive data must keep it confidential.
For national secrets or key infrastructure, extra rules like the State Secrets Law apply on top.
Putting It All Together for Your Operations
These rules double down on China’s focus on data staying secure at home, much like GDPR elsewhere but with a stronger national angle. For platforms, it’s about weaving privacy into everything from the start. For everyone else, it’s a nudge to double-check ties with Chinese operations.
The final rules will land on a date TBD, so use this time to get your data governance in order and let the team here at Captain Compliance lend a hand to help mature your data privacy posture. If you deal with data subjects in China we ask that you reach out for a PIPL checkup and security assessment to make compliance work for you and avoid very expensive privacy fines.
