Four years after passing the Personal Information Protection Law (PIPL), China’s top cyber regulator is now drafting a new rule specifically targeting personal information protection practices of large tech platforms. Today, the CAC released the draft rules and invited public comments.

The draft introduces the concept of “major online platforms” (大型网络平台), referring to platforms with tens of millions of users, broad and complex business lines, and large amounts of data that, if leaked, could affect national security or the functioning of society. The aim is to set clearer rules on how these platforms collect and use personal data, protect user rights, and ensure data is handled legally and appropriately.

More specifically, the designation of a “major online platform” mainly looks at four factors:
(1) the platform is large—typically over 50 million registered users or 10 million monthly active users;
(2) it provides important network services or operates across multiple business types with obvious cross-sector platform functions;
(3) the data it processes is highly sensitive—leaks, tampering, or destruction could significantly impact national security, economic stability, or key public services;
(4) other circumstances determined by the CAC and the Ministry of Public Security.
In short, being labelled a “major online platform” means the platform is not only huge and functionally complex, but also carries systemic importance and risk—thus facing much higher regulatory obligations.

This framework appears to borrow from the concept of “gatekeepers,” under the EU’s Digital Markets Act (DMA), which is a company that meets certain size thresholds, provides “core platform services,” and holds a stable and entrenched market position in the EU. Concretely, it must have significant economic strength (e.g., €7.5 billion in annual EU turnover or a €75 billion market cap), offer services classified as core platform services (such as online intermediaries, search engines, social networks, operating systems, browsers, virtual assistants, cloud services, or online advertising), and reach widespread user coverage (at least 45 million monthly active end users and 10,000 business users in the EU), with these conditions met for at least three consecutive years. Companies that meet all these cumulative criteria can be formally designated as gatekeepers and become subject to the DMA’s obligations and oversight.

Under the draft rule, large platforms must build a much stricter personal information protection mechanism. They must appoint a “Personal Information Protection Officer”, a Chinese national, without foreign permanent residency, holding a management-level position, along with a dedicated data protection team. This officer must supervise all personal data processing, have veto power over processing decisions, and must step in and report to CAC or the police when risks or violations occur. Platforms must also perform risk assessments, conduct compliance audits, prepare for emergency responses, handle user complaints, and publish an annual social responsibility report on personal information protection.

The draft also lays out very specific requirements on data storage and cross-border transfers: all personal data collected or generated inside China must be stored inside China, in data centres that meet strict security requirements and whose key managers must be Chinese nationals. If data truly needs to be transferred abroad, it must follow China’s data-export rules. And if a platform experiences a major data leak, repeated illegal data exports, or a security incident involving a large number of users, regulators can compel the platform to undergo third-party audits, make corrections, or even move all its data into an approved data centre.

With these provisions, China appears to be building a regime of “state-supported/verified data centres” and requiring major online platforms to store personal data only in such facilities. The draft sets out three high-level criteria:

(1) Located within the territory of the PRC;
(2) The principal person in charge holds PRC nationality and has no foreign permanent residency or long-term residence permit;
(3) Meets the security requirements of relevant national standards.

The first two are straightforward; the third is more ambiguous. In reality, China already has a full suite of national standards for data centers, centered on the Data Center Design Code (GB 50174), supplemented by general specifications for computer room facilities, security requirements for data-center environments, and standards covering energy efficiency, green data centers, operations, data security, and classified cybersecurity protection. “Relevant standards” could refer to this existing system, or China may formulate even more detailed, dedicated standards for such data centers.

This draft rule obviously benefits tech companies that already operate their own cloud infrastructure, like Alibaba, Baidu, Huawei, Tencent, and others. For tech companies that do not run their own compliant data centers but still need to store personal information, they must ensure the facilities they use satisfy these requirements, or else choose a qualified third-party data center that meets those requirements. Moreover, if the CAC finds that a major online platform lacks the capability to adequately protect personal information, regulators may require it to move its data to a qualified third-party data center through contractual arrangements.

This also means that the model of U.S. or European companies directly transferring personal data from China back to their headquarters will no longer work. They must store such data in a data center trusted by China.

Overall, the draft rule reinforces a broader global shift in global data governance: countries are increasingly requiring foreign firms to either set up domestically regulated data centers or partner with trusted local hosting providers, to ensure data sovereignty is not compromised by foreign legal jurisdiction. This trend is being driven by concerns over data security, law enforcement access, digital sovereignty, cross border legal conflicts (e.g., CLOUD Act vs GDPR), and governments’ desire for control over critical digital infrastructure. Apple’s partnership with Guizhou-Cloud Big Data, Microsoft’s “Germany Data Trustee” model with Deutsche Telekom, and Azure’s sovereign-cloud arrangement with Orange in France are all early examples of this shift.

The unofficial translation of the draft rules is available below:

Provisions on Personal Information Protection for Major Online Platforms (Draft for Public Comment)

Article 1
These Provisions are formulated in accordance with the Personal Information Protection Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Cybersecurity Law of the People’s Republic of China, the Regulation on Network Data Security Management, and other relevant laws and regulations, for the purpose of regulating personal information processing activities by major online platforms, protecting the lawful rights and interests of personal information subjects, and promoting the lawful and reasonable use of personal information.

Article 2
These Provisions apply to personal information protection for major online platforms that are built and operated within the territory of the People’s Republic of China. Where laws or administrative regulations provide otherwise, such provisions shall prevail.

Article 3
The national cyberspace administration, together with the public security departments of the State Council and other relevant departments, shall formulate, publish, and dynamically update a catalog of major online platforms.

The designation of “major online platforms” mainly considers the following factors:
(1) More than 50 million registered users, or more than 10 million monthly active users;
(2) Provision of important network services or business scope covering multiple types of services;
(3) Data under their possession or processing, if leaked, tampered with, or damaged, would have significant impact on national security, economic operations, or critical aspects of people’s livelihoods;
(4) Other circumstances stipulated by the national cyberspace administration and the public security departments of the State Council.

Article 4
Network data processors that provide major online platform services (hereinafter referred to as “major online platform service providers”) shall follow the principles of lawfulness, legitimacy, necessity, and good faith in their personal information processing activities; comply with laws and regulations; adhere to social ethics and public order; bear primary responsibility for the security of personal information they process; strictly protect sensitive personal information and personal information of minors; and fulfill their social responsibilities. They must not endanger national security or public interests, nor infringe the lawful rights and interests of individuals and organizations.

Article 5
Major online platform service providers shall designate a personal information protection officer in accordance with relevant laws and regulations and make their contact information publicly available.

The personal information protection officer shall be a member of the provider’s management, possess PRC nationality, hold no foreign permanent residency or long-term residence permit, and have at least five years of professional experience in personal information protection. The officer may concurrently serve as the network data security officer.

The personal information protection officer shall perform the following duties:
(1) Guide the major online platform in lawful personal information processing, implement regulatory requirements issued by the national cyberspace administration, public security departments of the State Council, and other competent authorities, and cooperate with supervision and inspection activities;
(2) Participate in decision-making related to personal information processing and hold veto power over such matters;
(3) Supervise personal information processing activities and protective measures. Upon discovering significant security risks or violations, the officer shall immediately take necessary measures and report to the national cyberspace administration and relevant authorities, and file a report with public security organs if a suspected crime is involved;
(4) Organize the formulation of special rules for processing personal information of minors.

The personal information protection officer may directly report relevant matters to the national cyberspace administration and competent authorities.

Article 6
Major online platform service providers shall establish a dedicated personal information protection department or structure, carry out relevant work under the leadership of the personal information protection officer, including but not limited to:
(1) Formulating and implementing internal systems, operating procedures, and emergency response plans for personal information protection; reasonably determining operational permissions; and managing the security of personal information processing activities;
(2) Conducting personal information security risk monitoring, assessments, compliance audits, impact assessments, emergency drills, publicity, and training, and promptly addressing security risks and incidents;
(3) Formulating standards and obligations for product/service providers on the platform regarding personal information processing, and supervising their compliance;
(4) Assigning dedicated personnel responsible for the protection of minors’ personal information;
(5) Receiving and handling complaints and reports related to personal information protection;
(6) Preparing and publishing an annual social responsibility report on personal information protection.

Major online platform service providers are encouraged to establish a specialized personal information protection department.

Article 7
Major online platform service providers shall provide necessary support for the personal information protection officer and relevant departments to fulfill their duties.

Article 8
Major online platform service providers shall promptly submit the following information to the national cyberspace administration:
(1) Basic information of the personal information protection officer;
(2) Basic information of the personal information protection department;
(3) Measures ensuring that the personal information protection officer and department can perform their duties.

If any of the above changes, the provider shall report the updated information within 20 working days. The national cyberspace administration shall share relevant information with the public security departments of the State Council and other competent authorities.

Article 9
Major online platform service providers shall store within the territory of the PRC all personal information collected or generated during their domestic operations. If cross-border provision is necessary, it must comply with national security management regulations governing data exports.

They must also strengthen technical and managerial measures for cross-border personal information protection and promptly guard against and address unlawful or noncompliant data export risks.

Article 10
Major online platform service providers shall store personal information collected or generated in domestic operations in data centers that meet the following requirements:
(1) Located within the territory of the PRC;
(2) The principal person in charge holds PRC nationality and has no foreign permanent residency or long-term residence permit;
(3) Meets the security requirements of relevant national standards.

Article 11
Data centers shall assist major online platform service providers in fulfilling their personal information protection obligations, including but not limited to:
(1) Establishing and improving internal systems for personal information management;
(2) Upon discovering security defects, vulnerabilities, or risks in systems, network products, or services that affect personal information protection obligations, taking immediate remedial measures, reporting to competent authorities, and notifying the provider’s personal information protection officer;
(3) In the event of a personal information security incident, immediately notifying the provider’s personal information protection officer, activating emergency plans, mitigating harm, eliminating risks, and reporting to the national cyberspace administration and competent authorities;
(4) Implementing requirements issued by the national cyberspace administration, public security departments of the State Council, and other competent authorities.

Article 12
When major online platform service providers engage third-party data centers that meet the requirements in Article 10, they shall sign a contract specifying storage location, scale, and categories of data, and stipulate compliance with the security obligations in Article 11 and the following:
(1) Strictly fulfilling personal information protection obligations in accordance with laws, regulations, and the contract; providing secure, stable, and continuous services; and accepting oversight by the provider’s personal information protection officer and supervisory committees;
(2) Facilitating the provider’s processing of personal information;
(3) Assisting the provider in managing the security of personal information processing.

Article 13
Major online platform service providers shall submit basic information on data centers used for personal information storage to the national cyberspace administration, including management teams, organizational structures, internal rules, security measures, and contracts with third-party data centers. Changes must be reported within 10 working days.

Article 14
Major online platform service providers shall provide convenient means for individuals to exercise their rights to access, copy, correct, supplement, delete, restrict processing of personal information, or cancel accounts and withdraw consent.

Upon request, providers shall transfer an individual’s personal information to another designated processor within 30 working days in a general, machine-readable format and notify the individual of the processing result. If legal conditions are not met, providers must explain the reasons. Extensions of up to 30 additional working days may be granted if necessary due to operational complexity or volume.

API-based or standardized methods for data portability are encouraged, with security measures such as identity verification and encrypted transmission.

Providers may charge reasonable fees for repeated transfer requests based on cost.

Article 15
Major online platform service providers shall conduct or engage third parties to conduct compliance audits, risk assessments, and other activities, and rectify identified issues. Providers are encouraged to engage certified professional institutions.

Certifications follow provisions under the Regulations on Certification and Accreditation of the PRC.

Article 16
Third-party institutions engaged to conduct compliance audits or risk assessments shall be registered in the PRC. Upon discovering significant security risks or violations, they may directly report to the national cyberspace administration and competent authorities, and must report crimes to public security organs if suspected.

Article 17
Where major online platform service providers exhibit any of the following, the national cyberspace administration, public security departments of the State Council, and competent authorities may require them to engage third-party institutions to conduct audits or risk assessments:
(1) Personal information processing activities severely affect personal rights or lack adequate security measures;
(2) Multiple violations involving unlawful cross-border data transfers;
(3) Activities likely to infringe the rights of many individuals;
(4) Security incidents resulting in leakage, tampering, loss, or destruction of personal information of more than one million individuals, or sensitive personal information of more than 100,000 individuals;
(5) Other circumstances stipulated by laws or competent authorities.

Providers must cooperate and provide necessary access, including to network data facilities, systems, and operation logs.

If a provider is deemed unable to ensure personal information security, authorities may require it to use third-party data centers meeting the Provisions.

Article 18
Major online platform service providers are encouraged to adopt national network identity authentication services, use data labeling technologies, obtain personal information protection certifications, and enhance protection capabilities.

Article 19
Major online platform service providers are encouraged to innovate technologies, products, and services related to personal information protection and actively participate in developing international standards and rules to promote mutual recognition of cross-border personal information protection standards.

Article 20
Any organization or individual may file complaints or reports regarding violations of these Provisions by major online platform service providers or data centers. Relevant authorities shall address complaints within 15 working days and inform the complainant of the outcome. Authorities shall enhance information sharing and collaborative enforcement.

Article 21
Where major online platform service providers, third-party institutions, or data centers fail to fulfill personal information protection obligations, cyberspace authorities, public security organs, and competent authorities shall pursue legal liability; where crimes are constituted, criminal liability shall be pursued.

Article 22
Staff of cyberspace authorities, public security organs, competent departments, third-party data centers, and third-party institutions shall keep confidential all personal privacy, personal information, trade secrets, and confidential business information learned in the course of their duties, and must not disclose or illegally provide such information.

Article 23
Personal information processing activities involving state secrets or work secrets shall comply with the Law on Guarding State Secrets of the PRC and related regulations. Major online platforms shall implement cybersecurity classified protection requirements, and those designated as critical information infrastructure shall also comply with relevant national regulations.

Article 24
These Provisions shall come into force on X Month X, Year X.