December 2025
Analysis of the Provisions on the Protection of Personal Information by Large Online Platforms (Draft for Comments) (Mainland China)
On November 22, 2025, the Cyberspace Administration of China (CAC) and the Ministry of Public Security jointly released the Provisions on the Protection of Personal Information by Large Online Platforms (Draft for Comments) (hereinafter, the “Draft for Comments”). This document marks a new stage in China’s personal information protection regulation, characterized by “precision-based” and “tiered” governance. The Draft for Comments imposes “gatekeeper” obligations on large online platforms that go far beyond those applicable to ordinary network operators. Its core content and legal implications are mainly reflected in the following aspects:
I. Clarification of the Scope of Application
The Draft for Comments clearly defines its regulatory targets, i.e., “large online platforms.” This definition is not a simple aggregation of metrics such as user numbers or revenue, but rather a comprehensive legal profile. The main factors considered include:
1. Having registered users of 50 million or more, or monthly active users of 10 million or more;
2. Providing important network services or operating across multiple categories of business;
3. Possessing and processing data that, if leaked, tampered with, or destroyed, would have a significant impact on national security, economic operations, the national economy and people’s livelihoods; and
4. Other circumstances as prescribed by the national cyberspace administration authorities or the public security departments of the State Council.
This definition indicates that regulatory resources will be concentrated on platforms with systemic importance. Once brought within this scope, a platform’s legal obligations will undergo a “qualitative change,” elevating it from an ordinary personal information processor to a “gatekeeper” required to fulfill special public responsibilities. This provides platforms with clearer expectations for their compliance efforts.
II. Establishment of Core Obligations
The core of the Draft for Comments lies in constructing a multidimensional responsibility framework for large online platforms, among which the following aspects are particularly noteworthy:
A. Establishment of Independent Oversight Mechanisms: Mandatory Introduction of an “Internal Compliance Officer”
The Draft for Comments requires large online platform service providers to designate a person in charge of personal information protection in accordance with relevant laws and regulations, and to publicly disclose the contact information of such a person. Notably, the designated person in charge of personal information protection is permitted to report directly to the cyberspace administration authorities, thereby strengthening internal independence and external accountability.
B. Enhanced Annual Review and Disclosure Obligations: Introduction of “Annual Inspections” and Public Oversight
The Draft for Comments requires large online platforms to regularly publish social responsibility reports in order to enhance public supervision. Articles 15 through 17 further encourage, and in certain circumstances require, platforms to engage certified third-party professional institutions to conduct compliance audits and risk assessments. In specific serious situations, regulatory authorities may mandate platforms to commission third-party audits, and such third-party institutions are expressly granted the right to directly report to regulators upon discovering major risks or violations.
C. Formulation of Platform Rules and Fair Governance: Reinforcement of the “Gatekeeper” Role
Large online platforms are required to formulate platform rules in a fair and impartial manner, clearly defining the standards and obligations applicable to personal information processing by product and service providers within the platform ecosystem, and to supervise their compliance. This requirement effectively consolidates the platforms’ “gatekeeper” responsibilities over the broader digital ecosystem.
III. Clarification of Compliance Requirements
The Draft for Comments imposes a new set of compliance requirements on large online platforms, giving rise to legal risks that are both real and urgent. Establishing independent oversight structures, conducting annual audits, and strengthening platform ecosystem governance all require substantial investments of human, financial, and technical resources. Violations of the relevant provisions may result in severe penalties under the Personal Information Protection Law, including substantial fines, orders to suspend relevant business activities, suspension of operations for rectification, or even revocation of business licenses.
Conclusion
In summary, although the Draft for Comments has not yet entered into force, large online platform enterprises should act proactively. It is imperative for such platforms to prepare in advance by benchmarking their existing practices against the Draft for Comments, initiating comprehensive compliance gap analyses, improving platform rules, and strengthening their personal information protection obligations at an early stage.
I. Clarification of the Scope of Application
The Draft for Comments clearly defines its regulatory targets, i.e., “large online platforms.” This definition is not a simple aggregation of metrics such as user numbers or revenue, but rather a comprehensive legal profile. The main factors considered include:
1. Having registered users of 50 million or more, or monthly active users of 10 million or more;
2. Providing important network services or operating across multiple categories of business;
3. Possessing and processing data that, if leaked, tampered with, or destroyed, would have a significant impact on national security, economic operations, the national economy and people’s livelihoods; and
4. Other circumstances as prescribed by the national cyberspace administration authorities or the public security departments of the State Council.
This definition indicates that regulatory resources will be concentrated on platforms with systemic importance. Once brought within this scope, a platform’s legal obligations will undergo a “qualitative change,” elevating it from an ordinary personal information processor to a “gatekeeper” required to fulfill special public responsibilities. This provides platforms with clearer expectations for their compliance efforts.
II. Establishment of Core Obligations
The core of the Draft for Comments lies in constructing a multidimensional responsibility framework for large online platforms, among which the following aspects are particularly noteworthy:
A. Establishment of Independent Oversight Mechanisms: Mandatory Introduction of an “Internal Compliance Officer”
The Draft for Comments requires large online platform service providers to designate a person in charge of personal information protection in accordance with relevant laws and regulations, and to publicly disclose the contact information of such a person. Notably, the designated person in charge of personal information protection is permitted to report directly to the cyberspace administration authorities, thereby strengthening internal independence and external accountability.
B. Enhanced Annual Review and Disclosure Obligations: Introduction of “Annual Inspections” and Public Oversight
The Draft for Comments requires large online platforms to regularly publish social responsibility reports in order to enhance public supervision. Articles 15 through 17 further encourage, and in certain circumstances require, platforms to engage certified third-party professional institutions to conduct compliance audits and risk assessments. In specific serious situations, regulatory authorities may mandate platforms to commission third-party audits, and such third-party institutions are expressly granted the right to directly report to regulators upon discovering major risks or violations.
C. Formulation of Platform Rules and Fair Governance: Reinforcement of the “Gatekeeper” Role
Large online platforms are required to formulate platform rules in a fair and impartial manner, clearly defining the standards and obligations applicable to personal information processing by product and service providers within the platform ecosystem, and to supervise their compliance. This requirement effectively consolidates the platforms’ “gatekeeper” responsibilities over the broader digital ecosystem.
III. Clarification of Compliance Requirements
The Draft for Comments imposes a new set of compliance requirements on large online platforms, giving rise to legal risks that are both real and urgent. Establishing independent oversight structures, conducting annual audits, and strengthening platform ecosystem governance all require substantial investments of human, financial, and technical resources. Violations of the relevant provisions may result in severe penalties under the Personal Information Protection Law, including substantial fines, orders to suspend relevant business activities, suspension of operations for rectification, or even revocation of business licenses.
Conclusion
In summary, although the Draft for Comments has not yet entered into force, large online platform enterprises should act proactively. It is imperative for such platforms to prepare in advance by benchmarking their existing practices against the Draft for Comments, initiating comprehensive compliance gap analyses, improving platform rules, and strengthening their personal information protection obligations at an early stage.
The contents of all newsletters of Shanghai Lee, Tsai & Partners (Content) available on the webpage belong to and remain with Shanghai Lee, Tsai & Partners. All rights are reserved by Shanghai Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Shanghai Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Shanghai Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors' opinions do not represent the position of Shanghai Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Shanghai Lee, Tsai & Partners.
