The Cyberspace Administration of China (“CAC”) has released an announcement requiring eligible personal‑information processors (akin to “controllers” under EU GDPR) to report their designated Personal Information Protection Officer (“PIPO”). Below is a brief overview of the obligation and what it means in practice.
China’s Personal Information Protection Law (“PIPL”) first introduced the requirement to appoint a PIPO in 2021. Under Article 52 of the PIPL, controllers that handle personal information in quantities reaching CAC‑prescribed thresholds must designate a PIPO. The specific threshold was clarified in 2025 via the Administrative Measures on Personal Information Protection Compliance Audits (“Audit Measures”), which require appointment of a PIPO once a controller processes personal data of over one million individuals.
On 18 July 2025, the CAC issued an announcement obliging controllers handling personal data of more than one million individuals to file PIPO details with the municipal‑level CAC where they are located.
The announcement divides the filing deadlines into three main scenarios:
Filings are made on‑line through the “Personal Information Protection Service System”. Controllers should consult the PIPO Information Reporting System Filing Guide (Version 1.0) (“Filing Guide”) and upload the requested documents. A single filing may cover multiple branches or related entities.
After submission, the CAC has 15 working days to review the materials and may:
While the Filing Guide does not specify who may serve as PIPO, controllers must disclose the individual’s position and nationality. The examples provided suggest a preference for senior personnel (e.g., chairman, vice president, or department head) with relevant expertise. In addition, for a large organisation with multiple applications or lines of business, it is required to specify the PIPO for each application, with an overall organisational PIPO coordinating efforts. However, the Filing Guide does not prohibit appointing the same individual to serve as the PIPO for all applications as well as the overarching organisational PIPO.
From Article 22 in the annex of the Audit Measures—and the associated assessment criteria—we infer that a PIPO should:
Despite the existing rules, several uncertainties remain:
We anticipate that the CAC will address these questions in future guidance.
Organisations exceeding (or close to exceeding) the one‑million‑individual threshold should promptly:
We will continue to track future CAC announcements and release further alerts if substantive changes or clarifications emerge. Should you have any questions regarding this new filing requirement or the PIPO role, we would be more than happy to assist—please feel free to reach out to us at any time.
(Jingwen Chang is appreciated for her contributions to this article.)