China: Cyberspace Administration's Measures for Administration of Compliance Audits on Personal Information Protection including operating conditions

On 1 May 2025, the Cyberspace Administration of China (CAC)’s Measures for the Administration of Compliance Audits on Personal Information Protection enter into force. The measures specify that personal information processors handling data of over 1 million individuals must appoint a personal information protection officer, while large internet platforms with extensive users and complex operations should establish independent oversight bodies. Regulatory authorities will oversee audits and investigate non-compliance, with violations subject to penalties under applicable laws. State organs and public administration bodies are exempt from these requirements.