---
title_en: "Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024)"
title_zh: "数据安全技术 互联网平台及产品服务个人信息处理规则 (GB/T 44588-2024)"
abbreviation: "GB/T 44588"
hierarchy: "standard"
issuing_body: "Standardization Administration of China; National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["pipl"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules/
summary: "GB/T 44588-2024 is a recommended national standard setting personal-information processing rules tailored to internet platforms and their products and services. It addresses how platform operators — and the products, services and third-party providers within their ecosystems — should handle personal information consistently with PIPL, including the heightened 'gatekeeper' obligations PIPL imposes on large platforms. It is one of the 2024 'Data Security Technology' series standards that build sector- and scenario-specific guidance on top of PIPL's general framework."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024)", https://datacompliancechina.com/laws/gbt-44588-platform-pi-processing-rules/
> *DCC summary, not a translation.* GB/T 44588-2024 is a copyrighted national standard. The structured summary below is DCC's own paraphrase grounded in the standard's title and number; specific clauses should be checked against the published text.

## Scope

GB/T 44588-2024 specifies **personal-information processing rules for internet platforms and the products and services they offer**. It is aimed at platform operators and at the products, services and third-party providers that operate within a platform ecosystem, and addresses how personal information should be processed across that ecosystem in line with the Personal Information Protection Law.

It is a **recommended** standard in the "Data Security Technology" (数据安全技术) series.

## Key contents

At a structural level the standard is expected to cover:

- **General requirements** for personal-information processing by platform operators, applying PIPL's principles (lawfulness, minimum necessity, transparency, purpose limitation) to the platform context.
- **Notice, consent and transparency** obligations as they apply to platform interfaces and to the relationship between the platform and the products/services running on it.
- **Roles and responsibilities** across the ecosystem — allocating personal-information obligations between the platform operator and in-platform product/service providers and third parties.
- **Platform 'gatekeeper' duties** reflecting PIPL's special obligations for large personal-information platforms (independent oversight, platform rules, management of in-platform operators, and public reporting).
- **Subject rights, security measures and governance** as applied to the platform setting.

> *Editor: verify specific clauses against the published standard.*

## How it fits the regime

GB/T 44588 operationalizes **PIPL** for the platform economy. PIPL applies generally to all personal-information handlers, and **Article 58** imposes additional "gatekeeper" obligations on providers of important internet platforms with large user bases and complex businesses — including establishing independent oversight bodies, formulating platform rules, restraining in-platform operators that seriously violate the law, and publishing periodic personal-information-protection reports.

This standard supplies platform-specific implementation detail for those obligations and for ordinary PIPL compliance across a multi-party platform ecosystem. For overseas compliance teams operating or selling through Chinese internet platforms, it is the reference for how personal-information responsibilities are expected to be allocated and discharged between platform and participants. It complements the app- and scenario-specific rules and the general personal-information standards (GB/T 35273, notice-and-consent, sensitive-PI).
