Conventus Law

Conventus Law

by

On 3 April 2026, the Cyberspace Administration of China (CAC) released the “Provisions on the Simplified Measures for Personal Information Protection by Small-scale Personal Information Processors (Draft for Comment)” (the “Draft Provisions”), with the public consultation period running until 3 May 2026. 

The central message is clear: the regulator is not lowering the baseline standards established by the Personal Information Protection Law (PIPL), but is seeking to right-size the paperwork and procedural burden for smaller operators — in particular offline merchants and businesses operating through online platforms. 

1. Why This Draft, And Why Now? 

The Draft Provisions sit within China’s broader data protection framework — the PIPL, the Civil Code, and the Regulations on Network Data Security Management — and are grounded in PIPL Article 62, which expressly contemplates specialised rules for small-scale processors. The policy intent is straightforward: allow smaller operators to achieve meaningful compliance without being held to requirements designed for large-scale data operations. 

The draft builds on two recent instruments: the CAC’s 2024 Provisions on Promoting and Regulating Cross-Border Data Flows (Order No. 16) and the Personal Information Protection Compliance Audit Management Measures (effective 1 May 2025), both of which the Draft Provisions now extend and scale down for smaller processors. 

Sectors most likely in scope — and worth a self-check. The drafting note records field visits to industrial parks, primary and secondary schools, grassroots hospitals, technology and innovation enterprises, and professional service institutions — a practical signal of where the regulator believes compliance friction is most acute. Organisations in these sectors should proactively assess whether they fall below the 100,000-individual threshold and which simplified pathways they are able to rely upon. 

2. Who qualifies as a “small-scale personal information processor”? 

The Draft Provisions define a small-scale personal information processor as one that processes the personal information of fewer than 100,000 individuals (Article 2). 

Several points deserve attention at this stage. 

  • Territorial scope. The Draft Provisions apply only to small-scale personal information processors operating within the territory of China (Article 2). This is a notable limitation: the PIPL has extraterritorial reach and can apply to processors located outside China that handle the personal information of individuals in China for purposes such as providing products or services. No equivalent simplified framework has yet been issued for such extraterritorial processors. Until one is, they remain subject to the standard PIPL regime without the proportionality accommodations now available to their onshore counterparts. 
  • How to count 100,000. The Draft Provisions do not elaborate on the mechanics of counting — whether individuals should be de-duplicated, how the period is measured, or how group or affiliate structures are treated. Drawing an analogy from the cross-border data transfer framework — where the 100,000-individual figure is calculated cumulatively from 1 January of the current year and on a de-duplicated basis — a consistent, de-duplicated, cumulative count appears to be the most defensible approach. Businesses should not assume that a snapshot figure or raw count will suffice. 

How does this compare with other jurisdictions?  

The drafting note states that CAC referred to domestic and overseas approaches when designing the scope and compliance accommodations for small-scale processors, but does not identify which specific jurisdictions. What is distinctive about China’s approach is not merely the choice of metric — a data-subject count, rather than headcount or turnover — but the breadth of the package: rather than relaxing a single obligation, the Draft Provisions introduce an integrated simplified compliance tier spanning notices, audits, impact assessments, cross-border transfers, and enforcement treatment. Accordingly, any cross-jurisdictional comparison should be treated as context rather than evidence of CAC’s specific source materials. 

3. Complying with the privacy notice requirement — a practical, step-by-step guide 

This section walks through the compliance pathway for privacy notices in a structured, operational sequence — from the simplest scenario to progressively more complex situations. The starting point is always the same: are you operating online, offline, or both? 

If you operate online: 

Step 1 — Can you rely entirely on the platform’s rules? (Article 8) 

If you process personal information solely through a network platform, you may be able to dispense with your own personal information processing rules and notification obligations altogether, provided all of the following conditions are satisfied: 

  • You process personal information only through that network platform and do not provide personal information to any personal information processor outside the platform; 
  • The platform has already formulated and published its own personal information processing rules and has fulfilled its notification obligations to individuals; and 
  • You declare that you comply with the platform’s personal information processing rules, and your processing of personal information is necessary for providing your products or services. 

If all three conditions are met, you are not required to formulate your own personal information processing rules or independently fulfil notification obligations (Article 8, paragraph 1). 

An additional benefit applies: if the platform has already conducted a personal information protection compliance audit and a personal information protection impact assessment, you are not required to repeat those exercises independently (Article 8, paragraph 2). 

Step 2 — If you cannot fully meet the Article 8 conditions, you must formulate your own processing rules and notify individuals. 

Your personal information processing rules must contain at least the following (Article 4, paragraph 1): 

  • The name or title of your organisation; 
  • The person responsible for handling individuals’ rights requests and their contact details; and 
  • The purpose and method of processing, the types of personal information processed, and the retention period. 
  • The service management entity has formulated and publicly disclosed unified rules for small-scale processors conducting the same type of offline business within its scope; and 
  • You agree to comply with those unified rules and your business is specifically listed in them. 

How to notify individuals online: the processing rules may be disclosed through your service agreement or by other means (Article 4, paragraph 2). This represents a meaningful simplification in practice: for small-scale processors that meet the conditions in Article 6 (see Section 4 below), online disclosure of the processing rules through the service agreement alone may suffice to fulfil the notification obligation — a standalone, lengthy privacy policy is not necessarily required under this framework. 

If you operate offline: 

Step 1 — Are you operating within a managed park, industrial base, or commercial property? (Article 5) 

If you conduct offline business within the scope of a service management entity — such as an industrial park, industrial base, or commercial property operator — you may be able to rely on unified personal information processing rules issued by that entity, provided: 

If both conditions are met, you are not required to formulate your own personal information processing rules (Article 5). In practical terms, this means a shop in a mall, a market stall in a managed market, or a tenant in a business park may be able to rely on the operator’s umbrella notice framework rather than preparing its own document. 

Step 2 — If no unified rules exist or you are not within a managed service scope, you must formulate your own processing rules and notify individuals. 

The required minimum content is the same as for online operators (Article 4, paragraph 1): 

  • Name or title of your organisation; 
  • Rights request contact person and their contact details; and 
  • Processing purpose, method, types of personal information, and retention period. 

How to notify individuals offline: you may post a notice in a prominent location at your business premises (Article 4, paragraph 2). In practice, this may take the form of a clearly worded poster displayed at the entrance or at the point where individuals provide their information — for example, at a service counter or check-in area. 

A simplified notification path available to both online and offline operators (Article 6) 

Regardless of whether you operate online or offline, if you simultaneously satisfy both of the following conditions, you may fulfil your notification obligation solely by publicly disclosing your processing rules — without the need for separate individual notifications at the point of collection — provided those rules are easily accessible and can be retained by individuals: 

  • Your processing of personal information (excluding sensitive personal information) is necessary for providing your products or services; and 
  • You do not provide the personal information to other personal information processors and do not disclose it externally — and this is expressly stated in your processing rules. 

This provision is particularly relevant for small businesses that collect straightforward operational data (such as contact details for service bookings or delivery addresses), do not share that data with third parties, and whose processing is inherently tied to the product or service being provided. 

4. Special circumstances: when notification obligations differ 

Beyond the general framework above, the Draft Provisions set out specific rules for situations where the nature of the personal information, the manner of its collection, or the broader context calls for a different approach to notification. 

4.1 Sensitive personal information (Article 10) 

Where you process sensitive personal information for a specific purpose (such as facial recognition for access control, or the collection of biological samples), your personal information processing rules must additionally explain: 

  • The necessity of processing that category of sensitive personal information; and 
  • The impact that such processing may have on individuals’ rights and interests. 

In terms of collection, the draft provides that where an individual knowingly and voluntarily provides sensitive personal information — such as facial data or biological samples — you may process it in accordance with the purposes, methods, and types already disclosed in your processing rules (Article 10, paragraph 2). 

A word of caution: this should not be read as reducing the substantive protections that apply to sensitive personal information. The PIPL sets a high baseline — including the concept of separate consent — for the processing of sensitive personal information. How “knowing and voluntary provision” interacts with PIPL’s consent formalities in practice (for instance, in facial recognition attendance systems or biometric access control deployments) is a question likely to be raised during the consultation period and one that businesses should approach carefully in the meantime. 

4.2 Individuals voluntarily providing personal information to obtain products or services (Article 7) 

Where an individual, for the purpose of obtaining your products or services, voluntarily provides the personal information necessary for that purpose — and you have already publicly disclosed your processing rules and fulfilled your notification obligations — you may process that personal information in accordance with your disclosed rules (Article 7). 

This provision is designed to reflect common operational realities: a customer who fills in a booking form, provides contact details at a service counter, or submits a delivery address online does so voluntarily and with a clear transactional purpose. Provided your rules are clear, publicly available, and properly communicated, no additional layer of consent capture or separate notification at the point of collection is required. 

4.3 Transfer of personal information due to merger, dissolution, or similar events (Article 9) 

Where personal information must be transferred as a result of a merger, division, dissolution, bankruptcy declaration, or other similar event, you must notify individuals of the recipient’s name or title and their contact details. Notification may be made through simplified means: 

  • Offline operators: by posting a notice in a prominent location at your business premises; 
  • Online operators (or those offering both): additionally through a pop-up notice within the product or service client. 

The timing requirements are strict: the notice must be published at least 30 working days in advance and remain publicly available for no less than 30 working days (Article 9, paragraph 2). 

4.4 Cessation of business and inability to delete personal information (Article 13) 

Where you cease to provide products or services and are genuinely unable to delete the personal information you hold, you may report to the relevant competent authority at your location and request assistance. If the relevant competent authority is unclear, you may approach the cyberspace administration at the districted-city level where you are located (Article 13). 

5. Cross-border transfers: exemptions aligned with the 2024 facilitation framework 

Article 11 of the Draft Provisions sets out a range of scenarios in which small-scale processors are exempt from the standard outbound transfer mechanisms — namely, the security assessment filing, the personal information standard contract, and personal information protection. The exemption conditions replicate those under the CAC’s 2024 Provisions on Promoting and Regulating Cross-Border Data Flows (Order No. 16), including the requirement that the personal information involved must not constitute important data. For processors already operating within that framework, nothing changes — the Draft Provisions simply confirm that the same exemptions apply to small-scale processors without requiring any additional steps. 

Two further procedural accommodations are worth highlighting: 

  • Where a small-scale processor does need to apply for an outbound security assessment, the draft contemplates that the provincial-level CAC may conduct the assessment and submit its recommendation to the national CAC for approval — potentially streamlining what can otherwise be a resource-intensive process (Article 11, paragraph 3). 
  • Relevant departments and cross-border data service centres are encouraged to provide consulting services to small-scale processors navigating the outbound transfer landscape (Article 11, paragraph 4). 

6. Governance duties: audits and impact assessments scaled to workable tools 

6.1 Personal information protection compliance audit (Article 14) 

Small-scale processors may conduct their compliance audit by completing the self-inspection checklist appended to the Draft Provisions, at least once every five years, retaining the completed checklist for at least five years

The significance of this lies in what the Draft Provisions change. Under the existing framework — the Personal Information Protection Compliance Audit Management Measures (effective 1 May 2025) and the Cybersecurity Standard Practice Guidelines: Personal Information Protection Compliance Audit Requirements — audit obligations are structured as follows: 

  • Above 10 million individuals: mandatory audit at least once every two years
  • 1 million to 10 million individuals: audit recommended every three or four years — not mandatory; 
  • Fewer than 1 million individuals: audit recommended every five years — not mandatory. 

Under this existing framework, a five-yearly audit was merely a recommendation for the smallest processors. The Draft Provisions elevate this to a mandatory requirement for small-scale processors (below 100,000 individuals), closing a gap at the lower end of the spectrum. 

The result is a clear two-end structure: mandatory obligations apply at both extremes — the largest processors (above 10 million) and the smallest (below 100,000) — whilst those in between remain subject to recommendations only. For small-scale processors, the burden is kept proportionate through both the five-year cycle and the simplified checklist format. 

6.2 Personal information protection impact assessment (Article 15) 

Small-scale processors may conduct their impact assessments using the simplified assessment form appended to the Draft Provisions. The completed form must be retained for at least three years

The simplified form is notably lighter than what is contemplated under the existing national standard — GB/T 39335-2020, the Information security technology – Guidance for personal information security impact assessment — which was enacted in 2020, prior to the PIPL, and has not yet been updated to reflect the PIPL framework. The triggering circumstances mirror those already set out in PIPL Article 55 — covering sensitive personal information, automated decision-making, entrusted processing and onward transfers, overseas transfers, and other activities with significant impact on individuals’ rights and interests. 

For each applicable circumstance, the processor is required to complete the corresponding section of the form — recording its assessment conclusions in a structured but straightforward manner, rather than conducting the comprehensive methodology-driven analysis envisaged by the 2020 national standard. 

Given that GB/T 39335-2020 predates the PIPL, an updated national standard for personal information protection impact assessments is widely anticipated. In the interim, the simplified form appended to the Draft Provisions offers a practical reference point for small-scale processors, and the structure of that form — organised around the five triggering circumstances above — provides useful guidance on what a minimum-standard impact assessment record should cover. 

6.3 Certification as an exemption from audits (Article 18) 

Personal information protection certification bodies are encouraged to direct their services towards small-scale processors and to improve service quality in doing so. Small-scale processors that have obtained personal information protection certification are exempt from conducting compliance audits for the duration of the certification’s validity period (Article 18) — making certification an attractive option for processors who would prefer a one-time third-party endorsement to periodic self-assessment cycles. 

6.4 Internal governance documentation (Article 16) 

Small-scale processors may satisfy requirements for a personal information protection management system and an emergency response plan by incorporating the relevant requirements into their existing organisational management documents — such as a staff handbook, operations manual, or internal policy document. A standalone, purpose-built governance document is not required. 

7. Security incidents: simplified notification channels, unchanged urgency 

Where personal information leakage, tampering, or loss occurs or is likely to occur, small-scale processors must (Article 17): 

  • Immediately take remedial measures; 
  • Notify affected individuals in accordance with applicable laws and administrative regulations; and 
  • Notify the department responsible for personal information protection. 

Where it is genuinely impossible — due to objective limitations — to notify individuals through other means, simplified notification channels are permitted: a prominent notice posted at business premises, or a pop-up notice within the product or service client. If criminal conduct is suspected, the matter must be reported to the public security authorities promptly. 

The key point here is that the Draft Provisions offer flexibility in how notice is delivered, but not in whether it must be delivered or how quickly remediation must begin. Urgency is unchanged; only the mechanics are adapted. 

8. Enforcement: graduated and supportive, but not without teeth 

The Draft Provisions formalise two enforcement accommodations for small-scale processors. 

Exemption from administrative penalty (Article 19) in any of the following circumstances: 

  • The violation is minor and has been promptly corrected, with no harmful consequences; 
  • It is the processor’s first violation, the harmful consequences are minor, and it has been promptly corrected; or 
  • Other circumstances where exemption from penalty is required by law. 

Lighter or mitigated penalties (Article 20) where: 

  • The processor has proactively eliminated or reduced the harmful consequences of the violation; 
  • The processor has voluntarily disclosed violations not yet known to the regulator; 
  • In the event of a personal information security incident, the processor promptly notified individuals, took remedial action, and proactively reported to the relevant authorities; 
  • The processor cooperated with the regulator’s investigation and demonstrated meritorious conduct; or 
  • Other circumstances warranting lighter or mitigated penalties under law. 

Importantly, exemption from penalty does not mean exemption from regulatory scrutiny. The competent department may still take administrative supervisory measures — including regulatory interviews and the issuance of reminder letters — as it considers appropriate (Article 19, paragraph 2). 

9. Capacity building: regulators encouraged to support, not only enforce 

Article 21 encourages local authorities and relevant departments to support small-scale processors through training sessions, public legal education campaigns, lectures, consulting, and guidance. It further encourages the provision of compliance infrastructure, technical tools, and consulting services to help reduce the cost of compliance for small-scale processors — reflecting a recognition that regulation alone is insufficient without accessible support structures. 

Practical takeaways 

The Draft Provisions represent a meaningful attempt to translate the PIPL’s principles into practical, workable obligations for the smallest segment of personal information processors. For businesses assessing their position, the following priorities stand out: 

  • Confirm eligibility first. Verify whether you process fewer than 100,000 individuals’ personal information, apply a de-duplicated cumulative count, and document your methodology carefully. 
  • Use the Section 3 decision tree. Identify your simplest available compliance pathway — full platform reliance, unified park or property rules, or your own tailored notice — and structure your documentation accordingly. 
  • Check your data sharing and disclosure practices. Most of the simplified pathways are conditioned on not providing personal information to third parties or disclosing it externally. If you do share data, verify that this is explicitly addressed in your processing rules and that the appropriate legal basis and notice requirements are satisfied. 
  • Take sensitive personal information seriously. The simplified framework does not reduce the substantive protections owed to individuals whose biometric or other sensitive personal information is processed. If you collect facial data or biological samples, ensure your processing rules address necessity and impact, and monitor CAC guidance on how consent requirements apply in this context. 
  • Review your cross-border transfers. Categorise each transfer against the Article 11 exemptions and the 2024 cross-border framework. Confirm that no important data is involved in any transfer you seek to treat as exempt. 
  • Build your governance cycle into your calendar. Schedule the five-year audit checklist cycle and the three-year impact assessment retention requirement, and keep completed forms in a dedicated compliance folder. 
  • Prepare incident response templates now. Draft the text for a notice poster and an in-app pop-up so that you can act immediately if an incident occurs, without delay caused by document drafting under pressure. 
  • Nominate a rights contact. Designate one person and one dedicated contact channel for handling access, correction, deletion, and other individual rights requests. 

WRITTEN BY

For further information, please contact:

James Gong – Bird & Bird,
james.gong@twobirds.com

Experienced Legal Director in Hong Kong specializing in data protection, cybersecurity, and TMT law. Advises multinational companies on complex legal and compliance issues.

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

I have extensive experience in advising on cyber security and data protection issues, as well as on regulatory and transactional issues within the technology, media and telecommunications (TMT) sector.

My clients include foreign and Chinese multinational companies across a broad range of industries, and I am particularly skilled in advising clients on data compliance projects with multijurisdictional elements and solving complicated legal issues. I am frequently quoted in the media for my insights and a recognised author of articles on TMT and privacy matters.

I graduated from the University of Manchester with an LL.B Law degree. I am also admitted to the bar in New York State, the United States, and passed the PRC Legal Professional Qualification Examination. I am a member of IAPP, holding CIPP/E, CIPP/US and CIPM certificates and also an expert of the Big Data Group of the National Information Security Standardization Technical Committee (TC260). I serve as an arbitrator at the Shanghai International Arbitration Center.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES