Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 44588

Data Security Technology — Personal Information Processing Rules for Internet Platforms and Products/Services (GB/T 44588-2024).

数据安全技术 互联网平台及产品服务个人信息处理规则 (GB/T 44588-2024)

FILED UNDER · Personal Information

DCC summary, not a translation. GB/T 44588-2024 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.

Scope

GB/T 44588-2024 specifies personal-information processing rules for internet platforms and the products and services they offer. It is aimed at platform operators and at the products, services and third-party providers that operate within a platform ecosystem, and addresses how personal information should be processed across that ecosystem in line with the Personal Information Protection Law.

It is a recommended standard in the “Data Security Technology” (数据安全技术) series.

Key contents

At a structural level the standard is expected to cover:

  • General requirements for personal-information processing by platform operators, applying PIPL’s principles (lawfulness, minimum necessity, transparency, purpose limitation) to the platform context.
  • Notice, consent and transparency obligations as they apply to platform interfaces and to the relationship between the platform and the products/services running on it.
  • Roles and responsibilities across the ecosystem — allocating personal-information obligations between the platform operator and in-platform product/service providers and third parties.
  • Platform ‘gatekeeper’ duties reflecting PIPL’s special obligations for large personal-information platforms (independent oversight, platform rules, management of in-platform operators, and public reporting).
  • Subject rights, security measures and governance as applied to the platform setting.

Editor: verify specific clauses against the published standard.

How it fits the regime

GB/T 44588 operationalizes PIPL for the platform economy. PIPL applies generally to all personal-information handlers, and Article 58 imposes additional “gatekeeper” obligations on providers of important internet platforms with large user bases and complex businesses — including establishing independent oversight bodies, formulating platform rules, restraining in-platform operators that seriously violate the law, and publishing periodic personal-information-protection reports.

This standard supplies platform-specific implementation detail for those obligations and for ordinary PIPL compliance across a multi-party platform ecosystem. For overseas compliance teams operating or selling through Chinese internet platforms, it is the reference for how personal-information responsibilities are expected to be allocated and discharged between platform and participants. It complements the app- and scenario-specific rules and the general personal-information standards (GB/T 35273, notice-and-consent, sensitive-PI).

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →