China Issues Draft Rules on Simplified Data Protection Requirements for Small-Scale Data Controllers

On 3 April 2026, the Cyberspace Administration of China (“CAC”) issued the Draft Provisions on Simplified Measures for Personal Information Protection for Small-Scale Data Controllers (the “Draft Provisions”).

The intent of the Draft Provisions is to reduce the compliance burden for small- and medium-sized enterprises (“SMEs”). The Draft Provisions propose to simplify the obligations relating to notification, compliance audit procedures, data-breach response, personal information protection impact assessments (“PIPIA”) and cross-border data transfers requirements for “small-scale data controllers.” These simplifications reflect a proportionality-driven approach, tailoring compliance expectations to the volume of personal information processed by a data controller.

What is a “Small-scale Data Controller?”

A “small-scale data controller” is a data controller that processes the personal information of fewer than 100,000 individuals. This threshold is determined exclusively by the number of data subjects whose information is processed, without regard to other indicators of organisational size such as assets, revenue or staff headcount. The Draft Provisions also do not specify a reference period for the calculation; e.g., whether the threshold applies to the cumulative number of individuals whose data is processed within a given calendar year. This lack of specificity may give rise to uncertainty in practice, particularly for data controllers whose data volumes fluctuate over time.

Simplified Obligations

Simplified transparency and notification requirements

Small-scale data controllers may only include the following key items in privacy notices, namely the name of the data controller, contact details of the person handling requests from data subjects, the purpose and method of data processing, types of data, and retention period. For offline data collection, small-scale data controllers may disclose privacy notices by posting them in conspicuous locations at business premises; for online data collection, privacy notices can be disclosed through service agreements.

Notably, small-scale data controllers may satisfy their notification obligations simply by publicly disclosing their privacy notices in a way easy to access and maintain, as opposed to providing individual notices to each data subject on each occasion, provided that the processing involves only non-sensitive personal information necessary for the supply of products or services, and the processor does not provide or disclose the personal information to third parties.

Small-scale data controllers are not required to separately issue their own privacy notices or satisfy notification duties if: (1) they process personal information exclusively through a network platform (such as e-commerce sites) and do not provide personal information to third-party data controllers; (2) the network platform issued its own data processing rules and has fulfilled the notification obligations; and (3) small-scale data controllers declared that they will comply with the data processing rules issued by the network platform, and they process personal information only necessary for providing products or services. Where the platform has already conducted compliance audits and personal information protection impact assessments (“PIPIAs”), the small-scale data controllers that use the platform may take the benefit of such exercises and will not be required to conduct their own.

Data Breach Response

The Draft Provisions simplify the notification requirements in the event of an actual or potential personal information breach. Where it is not practicable to notify affected individuals, small-scale data controllers may post relevant notices in conspicuous locations at business premises or via in-app pop-up alerts on the customer-facing service interface. That said, the Draft Provisions reiterate that small-scale data controllers are still expected to adopt mitigation measures, and notify relevant regulators pursuant to applicable regulations.

Cross-border Data Transfers

The Draft Provisions largely mirror the existing exemptions set out in the Provisions on Promoting and Regulating Cross Border Data Transfer Provisions issued in 2024 (see our previous Legal Update, China Eases Controls over Cross-border Data Transfers). Small-scale data controllers are exempt from security assessments, standard contracts, and personal information protection certification where the cross-border transfer of data (excluding important data) is necessary for: (a) the performance of a contract to which the individual is a party; (b) cross-border human resources management; (c) protecting life, health, or property in an emergency; (d) the fulfilment of statutory duties or obligations; or (e) cumulative transfers of fewer than 100,000 individuals' non-sensitive personal information per calendar year by non-critical information infrastructure operators (“non-CIIOs”).

Where a small-scale data controller does need to apply for a data export security assessment, the Draft Provisions introduce a streamlined pathway, permitting provincial-level CAC offices to conduct the assessment and submit the assessment summary and recommendation to the national CAC for approval.

Compliance audits and impact assessments

Small-scale data controllers can also benefit from simplified compliance audit and impact assessment requirements under the Draft Provisions. Small-scale data controllers may conduct personal information protection compliance audits and impact assessments using simplified self-assessment forms appended to the Draft Provisions. Compliance audits need only be carried out at least once every five years. This provides much-needed clarity on the required audit frequency for small-scale data controllers (see our previous Legal Update, China Finalises the Measures for Personal Information Protection Compliance Audits).

Enforcement and Penalties

The Draft Provisions adopt a notably lenient enforcement posture. No penalty is to be imposed on a small-scale data controller where: (a) the violation is minor, promptly corrected, and causes no harmful consequences; (b) it is a first-time violation with only minor consequences that is promptly rectified; or (c) other circumstances apply in which the law provides for no punishment. Even where penalties are not imposed, the relevant authorities may still conduct interviews, issue reminders, or take other administrative supervisory measures.

Reduced penalties are to be applied where the small-scale data controller: (a) proactively reduces or eliminates harmful consequences of the violation; (b) voluntarily discloses unlawful conduct not yet known to the relevant regulators; (c) promptly notifies affected individuals and takes remedial measures following a security incident and report to the regulators; (d) cooperates with regulators during investigations of violations; or (e) satisfy other conditions for mitigation in accordance with the law.

Takeaways

The Draft Provisions represent a significant step by the CAC in simplifying compliance for data controllers handling smaller volumes of personal information. Businesses processing personal information within China should continue to follow regulatory developments as the Draft Provisions are finalised, and pay particular attention to enforcement trends and interpretive guidance from the CAC, which will be instrumental in providing further clarity.

The authors would like to thank Roslie Liu, Legal Practice Assistant at Mayer Brown Hong Kong LLP, for her assistance with this legal update.