( April 30, 2026, 09:42 GMT | Official Statement) -- MLex Summary: China’s internet regulator has issued a new policy update clarifying that provisions in rules, including the Data Security Management Regulations and Personal Information Protection Audit Measures, do not count data that has already been deleted when calculating volumes of personal information. In the update issued Wednesday, the regulator said entities handling data of more than 10 million individuals must conduct compliance audits at least every two years, those processing between 1 million and 10 million must do so at least every three to four years, and those with fewer than 1 million at least every five years. It added that processors handling minors’ personal information must conduct annual compliance audits — either independently or through third-party institutions — regardless of whether they identify users as minors, in line with regulations on the online protection of minors.Statement follows (in Chinese). ...
Prepare for tomorrow’s regulatory change, today
MLex identifies risk to business wherever it emerges, with specialist reporters across the globe providing exclusive news and deep-dive analysis on the proposals, probes, enforcement actions and rulings that matter to your organization and clients, now and in the longer term.
Know what others in the room don’t, with features including:
- Daily newsletters for Antitrust, M&A, Trade, Data Privacy & Security, Technology, AI and more
- Custom alerts on specific filters including geographies, industries, topics and companies to suit your practice needs
- Predictive analysis from expert journalists across North America, the UK and Europe, Latin America and Asia-Pacific
- Curated case files bringing together news, analysis and source documents in a single timeline
Experience MLex today with a 14-day free trial.