Client Alert: Cybersecurity Administration of China Rolls Out Mandatory Reporting of Personal Information Protection Officers

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

tanya luo Module
Tanya Luo

Associate
China

I am a data associate in our Beijing office. My practice focuses on data privacy, cybersecurity, and telecommunications.

The Cyberspace Administration of China (“CAC”) has released an announcement requiring eligible personal‑information processors (akin to “controllers” under EU GDPR) to report their designated Personal Information Protection Officer (“PIPO”). Below is a brief overview of the obligation and what it means in practice.

1.  BACKGROUND

China’s Personal Information Protection Law (“PIPL”) first introduced the requirement to appoint a PIPO in 2021. Under Article 52 of the PIPL, controllers that handle personal information in quantities reaching CAC‑prescribed thresholds must designate a PIPO. The specific threshold was clarified in 2025 via the Administrative Measures on Personal Information Protection Compliance Audits (“Audit Measures”), which require appointment of a PIPO once a controller processes personal data of over one million individuals.

2.  LATEST DEVELOPMENT

On 18 July 2025, the CAC issued an announcement obliging controllers handling personal data of more than one million individuals to file PIPO details with the municipal‑level CAC where they are located.

2.1  Reporting Timeline

The announcement divides the filing deadlines into three main scenarios:

  • Existing Controllers: Those already processing personal data of one million individuals before the announcement must file on or before 29 August 2025.
  • Newly Reaching Threshold: Those that start processing personal data of one million individuals after the announcement must file within 30 working days from the that threshold is reached.
  • Changes to Filed Information: Any material change to the filed information must be reported within 30 working days, effectively re‑filing with updated materials.

2.2  Reporting Procedure

Filings are made on‑line through the “Personal Information Protection Service System”. Controllers should consult the PIPO Information Reporting System Filing Guide (Version 1.0) (“Filing Guide”) and upload the requested documents. A single filing may cover multiple branches or related entities.

After submission, the CAC has 15 working days to review the materials and may:

  • Approve the filing,
  • Return it for improvement (requiring a re-submission in 10 working days), or
  • Reject it.

2.3  PIPO Qualifications

While the Filing Guide does not specify who may serve as PIPO, controllers must disclose the individual’s position and nationality. The examples provided suggest a preference for senior personnel (e.g., chairman, vice president, or department head) with relevant expertise. In addition, for a large organisation with multiple applications or lines of business, it is required to specify the PIPO for each application, with an overall organisational PIPO coordinating efforts. However, the Filing Guide does not prohibit appointing the same individual to serve as the PIPO for all applications as well as the overarching organisational PIPO. 

From Article 22 in the annex of the Audit Measures—and the associated assessment criteria—we infer that a PIPO should:

  • Have relevant work experience/expertise in personal information protection,
  • Hold a clearly defined role and sufficient authority to coordinate across departments,
  • Be involved in decision‑making for major data‑related matters, and
  • Possess the power to halt and correct non‑compliant processing operations.

3.  PRACTICAL CHALLENGES

Despite the existing rules, several uncertainties remain:

  • Calculating “One Million”: Unclear whether that involves only currently held personal data or includes data that were collected but subsequently deleted or anonymised.
  • Filing Within 30 Working Days: Uncertain if submission alone is sufficient by the 30‑day mark, or if review completion must also occur in that period.
  • Nomination Criteria: Neither the PIPL nor the Audit Measures clarify whether PIPOs must be PRC nationals or whether certain seniority or professional certifications are mandatory.

We anticipate that the CAC will address these questions in future guidance.

4.  NEXT STEPS

Organisations exceeding (or close to exceeding) the one‑million‑individual threshold should promptly:

  • Confirm whether the threshold is met under a reliable method of counting personal data volume.
  • Designate a PIPO with the necessary authority, seniority, and expertise.
  • Submit the required documents and PIPO information within the applicable deadlines.
  • Monitor updates from the CAC and adjust internal procedures to align with any new clarifications.

We will continue to track future CAC announcements and release further alerts if substantive changes or clarifications emerge. Should you have any questions regarding this new filing requirement or the PIPO role, we would be more than happy to assist—please feel free to reach out to us at any time.

(Jingwen Chang is appreciated for her contributions to this article.)

Latest insights

More Insights
Curiosity line teal background

Anonymising Data in the Age of AI: Hong Kong Privacy Commissioner Adopts APAC-wide Technical Guidance

Aug 05 2025

Read More
featured image

From reactive tools to digital colleagues: the rise of agentic AI

6 minutes Aug 04 2025

Read More
featured image

Taking the EU AI Act to Practice: How the Final GPAI Guidelines Shape the AI Regulatory Landscape

8 minutes Jul 31 2025

Read More