China: Cyberspace Administration opened consultation on simplified measures for protection of personal information for small personal information processors

On 3 April 2026, the Cyberspace Administration opened a consultation on simplified measures for the protection of personal information for small personal information processors, until 3 May 2026. The measures apply to any entity in China that processes the personal information of fewer than 1’00’000 individuals. The measures introduce streamlined compliance obligations across several areas, including a requirement to publish personal information processing rules disclosing the processor's identity, contact details for individual rights requests, and the purpose, method, types, and retention period of data processed. It also requires that, where sensitive personal information is processed, processors must inform individuals of the necessity and impact of such processing within their published rules. On cross-border data transfers, processors are exempt from standard requirements, including security assessments, standard contracts, and certification in specified circumstances, including contractual necessity and emergencies. In the event of a data breach, processors must take immediate remedial action and notify affected individuals and relevant authorities, using simplified means such as on-premises notices or pop-up notifications where necessary. Finally, the measures introduce enforcement provisions, whereby minor or first-time violations that are promptly corrected and cause no harmful consequences will not attract penalties, and processors that actively mitigate harm, voluntarily disclose violations, or cooperate with authorities will receive lighter or reduced penalties.