Series
Blogs
China – Simplified data protection regime proposed for small businesses
China – Simplified data protection regime proposed for small businesses
7 April 2026
Series
Blogs
7 April 2026
Authors: Alex Roberts and Tiantian Ke
The Draft Rules on Simplified Personal Information Protection Measures for Small‑Scale Personal Information Processors (Draft Rules) signal a deliberate attempt by the Cyberspace Administration of China (CAC) to ease the compliance burden on small businesses; a move further acknowledging the importance of start-ups to innovation and SMEs to the growth of the world’s second largest economy.
The CAC released the Draft Rules on 3 April and is seeking public comments until 3 May 2026. No finalisation date is given, and details may change, but the text offers a clear view of the regulator’s policy intent. For foreign businesses that see China’s data rules as complex, costly and unevenly enforced, this is a noteworthy recalibration.
A domestic business (including those which are foreign invested) that handles the personal information of fewer than 100,000 individuals qualifies as a “small‑scale personal information processor” under the Draft Rules.
Importantly, the term “personal information processor” means an entity that independently decides on the purposes and processing methods during personal data processing activities. This is broadly similar to the concept of a “controller” under the GDPR.
This data volume threshold is notably distinct from the employee headcount and financial size criteria (turnover and total assets) used to define 'small mid-cap enterprises' (SMCs) in the proposed EU Digital Omnibus.
Similarly, unlike other recent rules released by the CAC, there is no timebox for this threshold, such as on an annual basis or over the lifespan of the organisation. Multinationals should expect to justify, if asked, how they count “100,000 individuals” and maintain records to support that assessment.
The Draft Rules significantly simplify how small-scale processors must meet key transparency and consent requirements under the Personal Information Protection Law (PIPL). Important relaxations include:
The Draft Rules set out a more lenient enforcement stance for small-scale processors. Namely, there should be no significant penalty where:
(a) the violation is minor and causes no harmful consequences, and is corrected promptly;
(b) it is a first‑time violation (even if not so “minor”), has only minor harmful consequences, and is corrected promptly; or
(c) other circumstances exist where the law allows no punishment.
That said, authorities may still conduct interviews, issue warning letters or take other administrative steps against the small business.
In addition, in line with the recent legislative trend of the CAC, reduced penalties are encouraged where processors:
(a) actively reduce harmful consequences;
(b) voluntarily disclose violations unknown to regulators;
(c) promptly inform individuals and take remedies after a security incident, and report to the authorities;
(d) cooperate with the authorities performing their duties; or
(e) otherwise meet conditions for mitigation.
The Draft Rules should, if adopted, save small businesses significant costs and the potential need for dedicated privacy expertise.
However, while the Draft Rules offer a chance to identify and streamline compliance for smaller China‑facing operations, the rules do not remove the need for a robust data compliance framework, structured risk assessment, careful cross‑border planning and active oversight of local entrusted parties processing data on their behalf.
In particular, while the direction of travel for regulatory scrutiny may be clearer, business counterparties may be reluctant to loosen vendor and other third-party management processes until the Draft Rules are implemented. Accordingly, multinationals should not treat these relaxations as a basis for reducing oversight of their China operations.
The broader enforcement landscape reinforces this caution. Just one day before the Draft Rules were published, the CAC together with other authorities jointly announced a series of specialised enforcement actions for 2026, targeting unlawful collection and use of personal information across apps/SDKs, internet advertising, education, transport, healthcare, financial services, and criminal cases involving personal information.
As always, watch this space and please reach out to our team where guidance is needed!