China Mandates Data Officer Registration by August, With Fines for Non-Compliance

China’s cyber regulator has imposed a new compliance deadline on companies handling large volumes of personal data, in its latest move to tighten data privacy oversight. The Cyberspace Administration of China (CAC) now requires all “personal information processors” above a certain size to appoint a dedicated data protection officer (DPO) and file the DPO’s details with authorities by August 29, 2025reedsmith.comreedsmith.com. Businesses falling under the mandate – broadly, those processing personal data of over one million individuals – include consumer-facing multinationals in tech, retail, finance and other sectors with extensive user datareedsmith.comreedsmith.com. Companies that miss the filing deadline face legal liability, with fines to be imposed on both the company and the responsible officerreedsmith.com.

The new DPO filing requirement was announced by the CAC on July 18, 2025, as part of a notice aimed at enforcing China’s Personal Information Protection Law (PIPL)reedsmith.com. The PIPL already obligates large-scale data handlers to designate a person in charge of personal information protection, but the CAC’s notice adds teeth by demanding official registration of that person. According to a client alert from Reed Smith, qualifying companies must submit the DPO’s name and contact information to their local CAC bureau by the deadlinereedsmith.com. This rule applies equally to Chinese companies and to overseas businesses without a physical China presence if they collect data on over a million Chinese residents – the latter must appoint a local agent in China and report that agent’s information as the DPOreedsmith.com. Crucially, the CAC has clarified there is no nationality requirement for the DPO: the officer can be a Chinese or foreign citizen, but must have relevant expertise in data protectionreedsmith.com and be empowered to enforce compliance across the organizationreedsmith.com. Once designated, the DPO will bear personal responsibility alongside the company for ensuring compliance with data laws, and regulators have signaled that both parties will be held accountable in the event of violationsreedsmith.com.

This mandate is forcing an immediate compliance scramble for big data-driven companies. Industry observers note that China’s privacy regulators have moved swiftly from establishing legal frameworks to enforcing them. The CAC’s notice gives companies that were already over the 1 million user threshold prior to July only 30 working days – until end of August – to register their DPOreedsmith.com. New companies that cross the threshold in the future must file within 30 days of doing soreedsmith.com. The risk of non-compliance is not abstract: under the PIPL, penalties for serious infractions can reach up to ¥50 million or 5% of a firm’s annual revenue, and responsible executives (now including DPOs) can be personally fined or even barred from leadership rolesiapp.org. Regulators have also indicated that failure to file the DPO info will be considered a violation of law, potentially triggering investigations or public exposure. Foreign law firms are advising clients to treat the DPO not as a mere figurehead, but as a linchpin of their China data governance. “Companies and DPOs must act immediately to assess their obligations and meet the filing deadline,” the Reed Smith briefing urgedreedsmith.com. Recommended steps include confirming if the 1 million individual threshold is met across China affiliates, formally appointing a qualified DPO (or local representative for overseas firms), and preparing the necessary documentation for CAC submission. Beyond the paperwork, businesses should empower their DPO with the resources to enforce PIPL compliance – from conducting the newly mandated personal information compliance audits (required every two years for big processorsreedsmith.com) to overseeing cross-border data transfer assessments. The accelerated timeline underscores China’s determination to plug enforcement gaps in its data protection regime. Multinationals that handle Chinese customer or employee data are under the gun to build out robust data officer functions or risk fines and reputational damage in a jurisdiction increasingly serious about privacy.