The Draft Rules on Simplified Personal Information Protection Measures for Small‑Scale Personal Information Processors (Draft Rules) signal a deliberate attempt by the Cyberspace Administration of China (CAC) to ease the compliance burden on small businesses; a move further acknowledging the importance of start-ups to innovation and SMEs to the growth of the world’s second largest economy.
The CAC released the Draft Rules on 3 April and is seeking public comments until 3 May 2026. No finalisation date is given, and details may change, but the text offers a clear view of the regulator’s policy intent. For foreign businesses that see China’s data rules as complex, costly and unevenly enforced, this is a noteworthy recalibration.
Who qualifies?
A domestic business (including those which are foreign invested) that handles the personal information of fewer than 100,000 individuals qualifies as a “small‑scale personal information processor” under the Draft Rules.
Importantly, the term “personal information processor” means an entity that independently decides on the purposes and processing methods during personal data processing activities. This is broadly similar to the concept of a “controller” under the GDPR.
This data volume threshold is notably distinct from the employee headcount and financial size criteria (turnover and total assets) used to define ‘small mid-cap enterprises’ (SMCs) in the proposed EU Digital Omnibus.
Similarly, unlike other recent rules released by the CAC, there is no timebox for this threshold, such as on an annual basis or over the lifespan of the organisation. Multinationals should expect to justify, if asked, how they count “100,000 individuals” and maintain records to support that assessment.
For further information, please contact:
Alex Roberts, Partner, Linklaters
alex.roberts@linklaters.com
