China regulations on personal data for large online platforms get public airing

The Cyberspace Administration of China is seeking public comment on its draft regulations on personal information protection for large online platforms.

The proposed law says personal information, such as biometrics, collected and generated in China should be stored on Chinese soil, and that any transfer of data internationally should comply with national data export security regulations.

Beijing also wants personal information stored in data centers located in China, and for platforms to “strengthen technical and managerial measures to prevent and address risks associated with illegal data transfer overseas.” Operators of AI data centers must be Chinese citizens with “no permanent residency or long-term residency permit abroad.”

And if users ask for their personal information, or want their account deleted, platforms must comply with convenient options.

Per Article 21 of the draft, “if the cyberspace administration department, public security organs, and relevant competent authorities discover that a large network platform service provider, third-party professional institution, or data center has failed to fulfill its responsibility for protecting personal information, they shall hold it accountable in accordance with the law; if a crime is constituted, criminal liability shall be pursued in accordance with the law.”

Penalties could include compliance audits and risk assessments by third-party professional organizations, and platforms “found incapable of ensuring data security” could be required to store data in compliant third-party data centers. (In other words, the government will take it from here.)

Nothing in the proposed regulations is especially surprising, given the strict state control Beijing maintains over China’s digital ecosystem. But the stipulations on data centers suggest a politically and economically motivated mustering of resources in the ongoing development of large language models and machine learning technologies – and a determination to retain jurisdictional control over the data of Chinese citizens.

The public is “invited to submit feedback through various channels” until December 22, 2025.

Article Topics

China  |  cross-border data sharing  |  Cyberspace Administration of China (CAC)  |  data protection  |  digital identity  |  regulation