
Panoramic: Automotive and Mobility 2025
On 18 July 2025, the Cyberspace Administration of China (“CAC”) issued the Announcement on the Reporting of Personal Information Protection Officer Information (“CAC PIPO Reporting Announcement”), which launched a centralized online platform for personal information handlers (“Handlers”) to report the appointment of a Personal Information Protection Officer (“PIPO”), as mandated by the Personal Information Protection Law of the People's Republic of China (“PIPL”) and the Personal Information Protection Compliance Audit Management Measures (“Audit Measures”).
This alert outlines key compliance obligations, eligibility criteria, reporting requirements, and practical considerations for Handlers within and outside China that are subject to the PIPL.
Under the CAC PIPO Reporting Announcement, Handlers that have handled personal information of one million or more individuals before 18 July 2025 must complete the submission of their PIPO information ("PIPO Filing") by 29 August 2025 to the municipal/city-level CAC in the location where the Handler is situated. If the threshold is reached on or after 18 July 2025, reporting must be completed within 30 working days of crossing the one-million-individual threshold. When determining whether the threshold has been met, the total number of individuals whose personal information is handled by the Handler shall be deduplicated, and deleted or anonymized personal information shall not be taken into account.
The one-million-individual threshold is assessed on a per-legal-entity basis, not across the entire corporate group. Each independent legal entity (e.g., a PRC subsidiary) shall determine whether it, on its own account, processes data of one million or more individuals. Per our discussion with some local CACs, personal information originating from outside China - including personal information of foreign nationals - should be included in the count if it is processed within China, and mere storage of personal information on servers in China will also be regarded as a processing in China. However, we were advised by the CACs' officials, when determining whether the threshold for the PIPO reporting obligation is triggered, the data processed as a data processor shall not be counted toward the total volume.
Notably, per our discussion with some local CACs, the reporting obligation also applies to foreign entities subject to the PIPL under Article 3(2)—those offering goods or services to individuals in China or analyzing their behavior. The reporting obligation shall be fulfilled by its representative designated in accordance with Article 53 of the PIPL.
In our communications with local CACs across different provinces, we have observed variations in their interpretations and guidance on the PIPO Filing for offshore Handlers and the collective PIPO Filing of a foreign parent company and its domestic subsidiary (when both fall under the scope of the PIPL). As a result, the exact pathway for PIPO Filing may differ depending on the location of the company's Chinese operation. We strongly recommend confirming the submission process and any entity-specific questions directly with the local CAC office to ensure full compliance.
While the PIPL, the Audit Measures and the CAC PIPO Reporting Announcement do not explicitly require the PIPO to be a direct employee of the organization, the reporting form requests personal details such as name, job title, nationality, and contact information—strongly implying that the role is expected to be filled by a natural person within the company's organizational structure. Foreign nationals may serve in this role, provided that they are affiliated with the reporting entity or its group.
Applicants must upload proof of appointment, such as an official letter of designation, internal announcement, or job offer. The current system does not require the submission of employment contracts or work permits.
Handlers may designate one PIPO to be responsible for personal information protection across all business lines, or they may designate one overall personal information protection officer while also designating corresponding personal information protection officers for different applications/businesses/systems.
While the roles may appear similar, the PIPO under China’s PIPL differs significantly from the DPO under the EU’s General Data Protection Regulation (GDPR), which may make it difficult to appoint an individual to take both roles. The roles differ significantly in the following aspects:
The GDPR mandates that the DPO operates independently and not receive instructions regarding their data protection duties. Internal DPO shall not be subject to a conflict of interest due to his work in the IT Department, HR Department or senior management, where he would have to supervise himself. While PIPO is responsible for supervising the personal information processing activities and relevant protective measures, suggesting a need for operational independence, the position is still in the early stages of development and does not yet have statutory independence on the same level as that required under the GDPR.
Under the PIPL, the PIPO may be deemed a “directly responsible supervisor” or “other directly responsible personnel” under Article 66 of PIPL if she/he was directly responsible for any specific violations of PIPL. When the Handler violates the provisions of the PIPL or fails to fulfil the personal information protection obligations, the PIPO may face fines and professional disqualification, in addition to the administrative penalties imposed on the Handler (see details in Section 3). The GDPR, however, places liability primarily on the data controller or processor and explicitly protects the DPO from dismissal or penalty for performing their duties.
According to Article 22 of the Audit Measures, the roles and responsibilities of a PIPO include coordinating relevant departments and personnel, raising opinions and suggestions before major decisions related to personal information processing are made, stopping non-compliant processing activities and taking necessary corrective measures. Before appointing a PIPO, Handlers should ensure the appointee fully understands the scope of the role and its associated risks. To support effective performance, Handlers should grant the PIPO adequate authority, resources, and access to relevant data systems.
As discussed above, the PIPO may be held personally liable as a “directly responsible supervisor” or “other directly responsible personnel” under Article 66 of the PIPL, potentially facing fines (RMB 10,000–1,000,000) and disqualification from holding certain management positions. Handlers may consider providing professional liability insurance for the PIPO to mitigate personal risk.
However, personal liability is not automatic. As clarified in Article 13 of the Guidelines on the Exercise of Administrative Penalty Discretion by Cyberspace Authorities (effective 1 August 2025), when a Handler commits a violation, regulators will assess liability of relevant personnel based on the following factors:
Handlers must complete the reporting using official templates issued by the CAC. All documents must be stamped with the company seal and uploaded via the online system. The headquarters may uniformly organize branches, subsidiaries, and other affiliated entities to collectively submit the information of all PIPO involved if the following conditions are met:
Among others, the key items required for submitting PIPO information include:
If a dedicated PIPO has been assigned to a specific system or business unit, the processing details of each system or business unit shall be filled out separately with the corresponding PIPO. Otherwise, these fields may be left blank.
The reporting process requires robust internal data mapping and processing activity assessments. Handlers that have not conducted data inventories or mapped processing scenarios since the PIPL’s enactment may face significant challenges in completing accurate submissions.
When drafting the forms for PIPO reporting, Handlers shall ensure alignment between the reported information and other public or regulatory filings, including ICP license records, filings related to cross-border data transfers and privacy policies. Discrepancies may trigger regulatory scrutiny. After the Handler submits the information, the municipal/city-level CAC will conduct a review. The possible results include “submission completed”, “review not passed”, and “submission terminated”. During the review process, the CAC may return the application for improvement, requiring the Handler to supplement the relevant information. The CAC will specify the requirements for supplementation, and the Handler can consult the CAC by phone for details. The supplementary materials shall be submitted within 10 working days.
The CAC’s reporting system does not currently publish PIPO details. However, Article 52 of the PIPL requires Handlers to publicly disclose the PIPO’s contact information (e.g., phone number, email). Future public disclosure of PIPO details by CAC cannot be ruled out. Therefore, we recommend using business contact details rather than personal information when submitting the report.
Under the CAC PIPO Reporting Announcement, Handlers must submit a change of record filing within 30 working days following any material change to the submitted information, including:
The change of record filing requires re-uploading all materials and undergoing a new review process—similar to an initial submission. Therefore, we strongly advise Handlers to carefully select the PIPO and authorized reporting agent and use a company-managed mobile number for account registration (SMS verification is required for each login and submission).
Handlers that process personal data of one million or more individuals in China should act promptly to appoint a qualified PIPO, gather required documentation, and complete the online submission. Otherwise, as a legal matter, failure to comply with the PIPO appointment obligation may result in administrative penalties under PIPL.
Given the complexity of the reporting process and the potential personal liability involved, we recommend conducting a thorough internal review of data processing activities and governance structures well in advance of submission.
Hogan Lovells’ Privacy and Cybersecurity Team is actively monitoring governmental activities that could affect the PIPO Filing. We are committed to keeping our clients updated on the latest developments and providing strategic, practical advice and assistance on relevant matters.
Authored by Sherry Gong, Flora Feng, and Xun Li.