China: Cyberspace Administration opened consultation on draft Regulation on Protection of Personal Information on Large-scale Online Platforms including data protection requirements

On 22 November 2025, the Cyberspace Administration of China opened a consultation on the draft Regulation on the Protection of Personal Information on Large-scale Online Platforms, including data protection requirements, until 22 December 2025. The regulation would apply to large-scale online platforms developed or operated within China, as identified by internet regulatory agencies according to criteria such as the number of registered users (50 million), monthly active users (10 million), the provision of important network services or multiple types of business, and the processing of data which, if compromised, could have serious consequences for national security or the economy. Providers of such platforms would need to offer easy-to-use channels for individuals to exercise their data subject rights. They would also be required to conduct risk assessments and compliance audits. Internet regulatory agencies could require platforms to undergo audits in cases where processing seriously affects personal rights, involves repeated unlawful or non-compliant outbound transfers, may infringe the rights of a large number of individuals, or when a security incident affects the personal information of one million people or the sensitive information of 100’000 people. If a provider is unable to guarantee the security of personal information, the authorities could require them to store that information in compliant data centres.