China is closing out 2025 with significant steps to reinforce its data protection and cybersecurity regime. In the past month, Chinese regulators have unveiled multiple key draft regulations for public comments. These developments underscore China’s efforts to address the increasing data and security risks and the continuous enforcement of its Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL).

This blog post explores the following three key latest developments and their implications:

Draft Provisions on Personal Information Protection for Large Online Platforms (LOP Provisions)

1. Scope of large online platforms (LOPs)

The LOP Provisions apply to LOPs that are established and operated in China. The Cyberspace Administration of China (CAC), the Ministry of Public Security (MPS) and other competent authorities will designate a platform as a LOP by considering whether such platform:

  • Has more than 50 million registered users or more than 10 million monthly active users.
  • Provides critical network services or operates across multiple types of businesses.
  • Possesses or processes data that, if leaked, tampered with or damaged, would have a significant impact on national security, economic operations or public welfare.
  • Falls into the scope of other circumstances as determined by the CAC and the MPS.

Designated LOPs will be listed in a catalogue and maintained by the CAC, MPS and other competent authorities.

2. Appointment of the “person responsible for personal information protection” (DPO)

A LOP must appoint a DPO and disclose their contact information. The DPO must be a member of the management level of the LOP, hold the nationality of the People’s Republic of China (PRC) and have no overseas permanent residence or long-term residence permit. In addition, the LOP Provisions also require the DPO to possess professional knowledge in personal information protection and have more than five years of relevant experience.

The DPO’s duties include, without limitation, guiding the LOP’s personal information processing compliance efforts, participating in decision-making related to personal information processing matters and exercising veto rights over such matters, supervising the processing activities and security measures adopted, and leading the development of rules for minors’ privacy protection. Note that the LOP Provisions empower the DPO to report personal information protection matters related to the LOP directly to the CAC and other competent authorities.

3. Data localization and cross-border data transfer requirements

LOPs are required to store personal information collected and generated from their operations in China locally. Cross-border transfers are allowed only if such transfers are necessary and will be conducted by LOPs in compliance with data transfer requirements under Chinese laws. In addition, the LOP Provisions impose specific requirements for data centers in which LOPs store data, including:

  • The data center must be located in China.
  • The person in charge of the data center must hold PRC nationality and have no overseas permanent residence or long-term residence permit.
  • The data center’s security capabilities must comply with the requirements under applicable national standards in China.

LOPs are also obligated to file certain information of the data centers used by them with the CAC and other competent authorities, such as the data centers’ management team and organizational structure, internal personal information protection policies, security measures adopted, and contracts signed with the data centers.

Draft Measures for Cyberspace Supervision and Inspection by Public Security Authorities (MPS Supervision and Inspection Measures)

These new draft MPS Supervision and Inspection Measures establish procedural rules and inspection criteria for public security authorities – i.e., China’s police force, the public security bureaus (PSBs) – and are intended to replace the existing Regulations on the Internet Security Supervision and Inspection by Public Security Authorities released in 2018.

1. Scope and applicability

The draft MPS Supervision and Inspection Measures permit PSBs to conduct inspections on the following types of entities:

  • Internet service providers offering services, such as internet access, data centers, content delivery services, domain name services and information services.
  • “Public internet access service providers” (e.g., hotels, hospitals or other public places that provide publicly available Wi-Fi connection).
  • “Network operators” (i.e., entities that own or use networks to operate or provide services), along with their developers and maintenance providers.
  • Critical information infrastructure operators, along with their developers and maintenance providers.
  • Providers of network products and services.
  • Data handlers and personal information handlers (i.e., entities that independently determine data/personal information processing purposes and means).
2. Inspection power of PSBs

Under the draft MPS Supervision and Inspection Measures, PSBs have the power to conduct both online and onsite inspections to assess an entity’s posture in cybersecurity, “information security” (undefined under these measures but likely referring to online content safety) and data security through measures such as “network information patrols,” “information review capability tests” (undefined under these measures but likely referring to content moderation capability), and vulnerability scanning. PSBs must focus their inspections on assessing whether the inspected entity has complied with certain key compliance requirements, including without limitation:

  • Developing and implementing cybersecurity, “information security,” and data security management program and operating procedures.
  • Recording and retaining required user registration information and internet logs.
  • Compliance with the obligations under China’s cybersecurity multilevel protection scheme (MLPS).
  • Adopting technical measures to prevent viruses, cyberattacks and network intrusions.
  • Providing technical support and assistance to PSBs for safeguarding national security, preventing and investigating terrorist activities, and investigating crimes.

Draft Measures for Network Data Security Risk Assessment (Risk Assessment Measures)

The Risk Assessment Measures define network data security risk assessment as “the identification, analysis and assessment of the risk associated with network data[i] and network data processing activities.”

Network data handlers[ii] processing “important data”[iii] (important data handlers) are mandatorily required to proactively conduct the risk assessment on an annual basis. Other data handlers that do not process “important data” are encouraged to conduct the risk assessment at least every three years. Risk assessments can be conducted by network data handlers themselves or third-party institutions engaged by them. In addition to the risk assessment proactively conducted by network data handlers, the CAC and other competent authorities may also mandate network data handlers to engage a third-party institution to conduct risk assessments under the following circumstances:

  • Where network data processing activities pose significant security risks.
  • Where a network data security incident occurs, resulting in the leakage or theft of “important data” or large-scale personal information.
  • Where network data processing activities may endanger national security or public interests.
  • Other circumstances determined by the CAC or other competent authorities.

When conducting an annual risk assessment, important data handlers shall prepare an assessment report in accordance with the template attached to the Risk Assessment Measures and file such an assessment report with the competent authority (or the CAC, if the competent authority for an important data handler is unclear). Competent authorities and the CAC at provincial level or above may conduct random inspections and verifications of the authenticity and accuracy of the assessment reports, and network data handlers shall provide assistance.

Next Steps

Violations of these three regulations will be subject to applicable penalties imposed under the CSL, DSL and the PIPL. Companies providing services to Chinese customers and users should assess the applicability of these regulations and closely monitor their developments.

Authors

Will Pao, Partner, Los Angeles

Zhijing Yu, Associate, Singapore

Cooley LLP is not licensed to practice the law of the People’s Republic of China (PRC), and nothing herein constitutes an opinion or legal advice by Cooley with respect to PRC laws or otherwise. This blog may not be relied upon, construed as or used as an opinion, interpretation of or legal advice in any respect relating to or arising out of PRC laws or otherwise. This blog, and our review of the information referenced in this blog, is based solely upon our general familiarity with matters of the type referenced in this blog and the consultation with PRC counsel with respect to certain matters of PRC law or practice, as referenced in the blog, provided that notwithstanding such consultation, no opinions or legal advice with respect to PRC law are made herein. Any analysis, conclusion, advice or opinion with regard to PRC laws, or otherwise with regard to any of the matters referenced in this blog, must be obtained from PRC local counsel.

[i] “Network data” refers to electronic data processed and generated through networks.

[ii] “Network data handlers” refers to individuals or organizations that independently determine data processing purposes and means.

[iii] “Important data” refers to data in specific fields, specific groups or specific regions, or data that has reached a certain level of accuracy and scale, which, if tampered with, damaged, leaked or illegally obtained or used, may directly endanger national security, economic operations, social stability, public health and safety.

Posted by Jenna Moore

All Posts