Simplified Measures for Small Scale Personal Information Handlers – Key Takeaways and Commercial Implications

On 3 April 2026, the Cyberspace Administration of China (“CAC”) published the Draft Provisions on Simplified Personal Information Protection Measures for Small Scale Personal Information Handlers (the “Draft Provisions”). The Draft Provisions are designed to offer a proportionate, lighter touch compliance path for handlers whose scale, capability and risk profile justify less burdensome rules – without sacrificing the core protection of personal information and individual rights.

This briefing summarizes the main areas of simplification under the Draft Provisions and the potential impact that the new rules – once implemented – may have on commercial activities involving the processing of personal information.

I. Who is a “small scale handler”?

The Draft Provisions set a single, bright‑line test: processing personal information of fewer than 100,000 individuals.

• No reference to registered capital, headcount, revenue or industry sector. The focus is purely on the scale of processing activities – i.e., the exposure to risk.
• In practice, such handlers are typically not data‑driven businesses. Personal information is an ancillary element of operations rather than a core asset.

II. Where are the main simplifications?

Privacy policy – less is more

Content – only three items are required:

1. Who is processing (handler’s name);
2. Who to contact for exercising rights (designated person and contact details);
3. How: purposes, methods, categories, retention period. For sensitive personal information, also necessity and impact on individual rights.

Form – flexible:

• Offline businesses may post a prominent notice on their premises.
• Online businesses may embed the disclosure in their service agreement, a separate privacy policy document is not mandatory.

“Free‑rider” mechanism – if an online platform, industrial park or property manager (collectively, the “Platform”) has issued a uniform privacy policy, and the small‑scale handler agrees to comply and is named in that policy, the handler need not issue its own. The same free‑rider mechanism applies to compliance audits and privacy impact assessments (“PIA”): if the Platform has already done the audit or PIA, the small‑scale handler using that platform may skip repeating the exercise.

Notice obligation – leaner but condition‑driven

Previously, a handler had to both publicize the privacy policy and separately notify individuals before processing (e.g., via pop‑ups, interactive prompts, SMS, email).

Under the Draft Provisions, the separate notification step can be waived if all of the following are met:

• No sensitive personal information is collected;
• Processing is strictly necessary for providing the product or service;
• The information is not shared externally; and
• The privacy policy has been made public.

In that case, making the privacy policy publicly available alone fulfills the notice obligation.

Cross‑border data transfers – procedural relief is limited

The article 11 of the Draft Provisions lists scenarios exempted from standard cross‑border formalities (security assessment, standard contract filing, certification). However, these exemptions do not materially expand the scope already available under the Regulations on Promoting and Regulating Cross‑border Data Flows (March 2024)[1].

In particular:

• For sensitive personal information (biometrics, financial data, health data, location tracking, etc.), outbound transfers remain restricted.
• The thresholds triggering mandatory security assessment or standard contract filing remain unchanged.

One genuine procedural simplification: under the Draft Provisions, certain data export security assessments that previously had to be reviewed by the CAC directly may be partially delegated to provincial CAC offices, with the final approval still at the central level.

Compliance audit – longer cycle, simpler method

• Frequency: every five years (compared to every two years for handlers processing >10 million individuals under the general compliance Audit Measures).
• Method: a self‑assessment checklist replaces a full‑scale external audit. The substantive audit items are not drastically reduced, but the method is far lighter.

III. Practical bottom line

Generally speaking, the Draft Provisions do not waive substantive obligations. They aim to reduce complexity so that small‑scale handlers can achieve compliance in a more concise, business‑pragmatic manner.

If your China subsidiary processes <100,000 individuals and is truly independent in its data decision‑making, the Draft Provisions offer meaningful cost and administrative relief.

However, be cautious: group‑wide data integration (e.g., global CRM, centralised HR systems, shared marketing platforms) may undermine a claim to “small‑scale” status. Regulators will look at substance, not form.

Cross‑border transfers remain a high‑stakes area – the procedural relief is narrow. Do not rely on the Draft Provisions to sidestep standard export mechanisms.

We will continue to monitor the final version of the rules (comments close 3 May 2026) and provide updates as the regime crystallizes.

• Processing sensitive personal information;
• Cross‑border data transfers;
• Data security incident response; and
• Accountability for high‑risk processing activities.

For foreign‑invested companies

• If your China subsidiary processes <100,000 individuals and is truly independent in its data decision‑making, the Draft Provisions offer meaningful cost and administrative relief.
• However, be cautious: group‑wide data integration (e.g., global CRM, centralised HR systems, shared marketing platforms) may undermine a claim to “small‑scale” status. Regulators will look at substance, not form.
• Cross‑border transfers remain a high‑stakes area – the procedural relief is narrow. Do not rely on the Draft Provisions to sidestep standard export mechanisms.

We will continue to monitor the final version of the rules (comments close 3 May 2026) and provide updates as the regime crystallizes.

Annotations

[1] The Regulations on Promoting and Regulating Cross-border Data Flows (issued in March 2024) introduced certain exemptions / waivers for cross-border data transfer activities that meet specific conditions. For a detailed discussion, please refer to our previous article: Deepening China’s Legal Framework on Data Protection: from the Cybersecurity Law to the Regulations on Promoting and Regulating Cross-border Data Flows. [link here]