/>iOn July 18, 2025, the Cyberspace Administration of China (the “CAC”) issued the Notice on Launching the Reporting Mechanism for Personal Information Protection Officers (the “Notice ”). This development marks a significant step in China’s regulatory enforcement of the Personal Information Protection Law (the “PIPL”) and its implementing rules, particularly the Administrative Measures on Compliance Audits of Personal Information Protection, effective June 1, 2025.
The Notice introduces a mandatory online reporting system for designated Personal Information Protection Officers (the “PIPOs”) and outlines specific obligations for personal information (the “PI”) processors who have reached the statutory processing thresholds.
1. Covered Entities and Reporting Deadlines
The reporting obligation in the Notice applies to:
- any PI processor (including but not limited to enterprises, public institutions, and platforms) that processes PI of 1 million or more individuals (the “Threshold”),
- regardless of whether such processor is located domestic or overseas.
In the Notice, the CAC has delineated three distinct compliance timelines:
(a) Newly Qualifying Processors (Post-Notice)
PI processors that reach the Threshold on or after July 18, 2025 shall report within 30 working days from the date the Threshold is reached.
(b) Existing Processors (Pre-Notice)
PI processors that had already reached the Threshold prior to July 18, 2025 shall complete their initial reporting no later than August 29, 2025.
(c) Ongoing Update Obligations
If there is any material change to the information submitted (e.g., change of PIPO, contact details, or organizational structure), an updated report shall be filed within 30 working days from the date of the change.
2. Reporting Procedure
According to the Notice, all reporting must be completed online through the CAC’s designated platform.Entities that fail to comply with the reporting requirements, whether through omission, delay, or submission of false information, may face regulatory action under the PIPL and other applicable regulations.
3. Key Takeaways and Recommendations
Companies that currently or plan to operate in in China may consider:
- Evaluate Data Volume: Assess whether your organization processes or controls personal information of 1 million or more individuals (including without limitation users, employees, and customers).
- Appoint a PIPO: Designate a qualified individual to serve as your Personal Information Protection Officer in accordance with internal governance protocols.
- Prepare Documentation: Collect and verify required documentation for submission, including corporate identification, PIPO resume/contact details, and internal data governance policies.
- Monitor Compliance Deadlines: Establish internal tracking mechanisms for ongoing compliance with reporting timelines and change notifications.
- Integrate with PIPL Compliance: Align this reporting obligation with your broader PIPL compliance framework, including audit readiness, cross-border data transfer reviews, and consent management.
Frederic Yan contributed to this article
