DCC summary, not a translation. GB/T 44588-2024 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase grounded in the standard’s title and number; specific clauses should be checked against the published text.
Scope
GB/T 44588-2024 specifies personal-information processing rules for internet platforms and the products and services they offer. It is aimed at platform operators and at the products, services and third-party providers that operate within a platform ecosystem, and addresses how personal information should be processed across that ecosystem in line with the Personal Information Protection Law.
It is a recommended standard in the “Data Security Technology” (数据安全技术) series.
Key contents
At a structural level the standard is expected to cover:
- General requirements for personal-information processing by platform operators, applying PIPL’s principles (lawfulness, minimum necessity, transparency, purpose limitation) to the platform context.
- Notice, consent and transparency obligations as they apply to platform interfaces and to the relationship between the platform and the products/services running on it.
- Roles and responsibilities across the ecosystem — allocating personal-information obligations between the platform operator and in-platform product/service providers and third parties.
- Platform ‘gatekeeper’ duties reflecting PIPL’s special obligations for large personal-information platforms (independent oversight, platform rules, management of in-platform operators, and public reporting).
- Subject rights, security measures and governance as applied to the platform setting.
Editor: verify specific clauses against the published standard.
How it fits the regime
GB/T 44588 operationalizes PIPL for the platform economy. PIPL applies generally to all personal-information handlers, and Article 58 imposes additional “gatekeeper” obligations on providers of important internet platforms with large user bases and complex businesses — including establishing independent oversight bodies, formulating platform rules, restraining in-platform operators that seriously violate the law, and publishing periodic personal-information-protection reports.
This standard supplies platform-specific implementation detail for those obligations and for ordinary PIPL compliance across a multi-party platform ecosystem. For overseas compliance teams operating or selling through Chinese internet platforms, it is the reference for how personal-information responsibilities are expected to be allocated and discharged between platform and participants. It complements the app- and scenario-specific rules and the general personal-information standards (GB/T 35273, notice-and-consent, sensitive-PI).