China: Cyberspace Administration closes consultation on draft Regulation on Protection of Personal Information on Large-scale Online Platforms including data localisation requirements

On 22 December 2025, the Cyberspace Administration closes the consultation on the draft Regulation on the Protection of Personal Information on Large-scale Online Platforms, including data localisation requirements. The regulation would apply to large-scale online platforms developed or operated within China, as identified by internet regulatory agencies according to criteria such as the number of registered users (50 million), monthly active users (10 million), the provision of important network services or multiple types of business, and the processing of data which, if compromised, could have serious consequences for national security or the economy. The draft regulation requires large-scale online platform providers to store all personal information collected or generated in China within the country. Overseas transfers are permitted only when necessary and must comply with national data export security rules, supported by safeguards to prevent unlawful cross-border transfers. Further, personal information must be stored in data centres located in China, managed by a Chinese citizen with no permanent or long-term foreign residency, and operated in accordance with national security standards. If a provider uses a third-party data centre, the parties must conclude a contract specifying storage arrangements, compliance obligations, security requirements, and support for the provider’s personal information protection duties. If authorities determine that a provider cannot ensure the security of personal information, they may require it to store data in a compliant third-party data centre.