China issues Draft Rules on Personal Information Protection for Large Online Platforms for public comments

On 22 November 2025, the Cyberspace Administration of China (CAC) and the Ministry of Public Security issued a joint notice launching a public consultation on the Provisions on Personal Information Protection for Large Online Platforms (Draft for Comments). These Draft Provisions are intended to further regulate personal information processing by large online platforms and enhance protection of relevant rights and interests. Comments are invited until 22 December 2025.

Application scope

The Draft Provisions apply to “large online platforms” established or operating in the territory of the People’s Republic of China (PRC). Large online platforms include entities:

• having over 50 million registered users or 10 million monthly active users;
• providing important online services or operating across multiple business types;
• holding data whose breach could materially affect national security, economic operation, or public welfare.

The regulators will publish and update a catalogue listing the large online platforms falling under the above definition.

Highlights

The key points in the Draft Provisions include the following:

• Governance and accountability – Large online platform providers must appoint a personal information protection officer (PIPO) with Chinese nationality who does not hold a permanent residency or long-term residence permit in any foreign country. The PIPO may report directly to competent authorities. Large online platform providers are also required to establish a personal information protection department responsible for internal policies, risk monitoring, incident response, complaint handling, etc. Relevant information concerning the PIPO and the personal information protection department must be filed and updated with the CAC.
   
• Data localisation and storage controls – Personal information collected or generated in China must be stored in data centres based in China whose responsible personnel must be Chinese without a permanent residency or long-term residence permit in any foreign country. These data centres will assist large online platform providers in fulfilling their obligations regarding the protection of personal information. Use of third-party data centres requires detailed contracts and regulatory filings.
   
• Detailed data transfer requirements – The Draft Provisions introduce detailed requirements on transferring personal information from large online platform providers to other designated data handlers upon the request of the data subjects. These requirements include transfer formats and notification methods.
   
• Mandatory audit and third-party storage – Under the Draft Provisions, regulators reserve the power to mandate third-party audits in certain scenarios, including illegal cross-border transfer and major incidents. In addition, where a platform is deemed to be unable to ensure personal information security, regulators may require storage in compliant third-party data centres.

Summary

Although the Draft Provisions are still open for comments, they signal China’s continued focus on stronger, platform-specific personal information governance. Large online platforms should review governance structures, localisation arrangements, and other compliance measures to ensure they are properly aligned with the future implementation of the Draft Provisions.

The original publication can be found here (Chinese only).

For more information on the Draft Provisions and personal information regulations in China, contact your CMS client partner or the CMS experts who wrote this article.