China Seeks Public Feedback on New Data Protection Rules for Large Online Platforms

Introduction to New Data Protection Initiatives

The Cyberspace Administration of China (CAC) and the Ministry of Public Security (MPS) have jointly released a new set of draft regulations concerning personal information protection for large online platforms. These proposed rules, made public on Saturday, November 22, 2025, are now open for public consultation, marking a significant step in China's ongoing efforts to strengthen data security and individual privacy rights. The initiative aims to enhance the protection of personal information, safeguard the legal rights of individuals, and foster the healthy development of the platform economy.

Key Provisions for Data Handling and Storage

The draft regulations introduce stringent requirements for how large online platforms manage personal information. A central tenet is the mandate that personal information collected and generated within China must be stored domestically. Should there be a necessity to transfer this information abroad, platforms are required to comply with national data export security regulations. Furthermore, they must implement robust technical and managerial measures to prevent and address risks associated with illegal data transfer overseas. The regulations also stipulate that personal information must be housed in data centers located in China that meet national security standards.

Enhanced User Rights and Platform Accountability

Under the proposed framework, online platform service providers will be obligated to offer convenient methods and channels for individuals to exercise their data rights. This includes the ability to

• access
• correct
• supplement
• delete their personal information
• delete their accounts

. In cases where an individual requests the transfer of their personal information to a designated personal information processor, the service provider must complete this action within 30 working days of receiving the request.

To ensure accountability, the draft regulations outline measures for addressing serious deficiencies in personal information protection. Platforms exhibiting repeated violations or significant data breaches—such as the leakage, alteration, loss, or destruction of personal information belonging to over 1 million individuals, or sensitive personal information of over 100,000 individuals—may be subjected to mandatory compliance audits and risk assessments by third-party professional organizations. The regulations also encourage the adoption of national network identity authentication services, data labeling technologies, and personal information protection certifications to elevate data protection standards.

Public Consultation and Broader Context

The public is invited to submit feedback on these draft regulations through various channels, with the consultation period concluding on December 22, 2025. Authorities are also required to respond to complaints about violations within 15 working days. The CAC and MPS have underscored the importance of confidentiality for all involved parties, including government departments and third-party organizations, regarding personal privacy, business secrets, and other sensitive information encountered during their duties.

This move aligns with China's broader legislative landscape for data security, notably the Personal Information Protection Law (PIPL), which came into effect on November 1, 2021. The PIPL already imposes specific obligations on internet platform services with a large number of users and complex business models, such as establishing independent supervisory bodies and regularly publishing social responsibility reports on personal information handling.