Spotlight on China: Prepare for the Personal Information Protection Compliance Audit

On July 12, 2024, TC 260, the technical committee responsible for standardization of information security in China, issued the National Standard ‘Data Security Technology- Personal Information Protection Compliance Audit Requirements’ (Draft Standard) as part of a consultation process to solicitate public comments until September 11, 2024. The Draft Standard complements the draft Administrative Measures for Personal Information Protection Compliance Audits (Draft Measures) released in August 2023. Together, the Draft Standard and the Draft Measures provide a comprehensive framework for complying with personal information protection requirements and preparing businesses for the compliance audits.

As a result, it seems likely that the audit requirements under the PRC Personal Information Protection Law (PIPL) will be implemented soon. Therefore, it is crucial for companies operating in China to understand these requirements, implement necessary changes, and prepare for undertaking these personal information protection compliance audits.

Key Requirements

The Draft Measures consist of 16 articles which address the questions of audit subject, audit frequency and auditor identity. The Draft Measures, if adopted in their current form, would serve as a guideline to implement compliance audits for personal information processors (PI Processors) required under the PIPL.

Administrative Measures for Personal Information Protection Compliance Audits (Draft for Public Comment)

• Who Should Conduct the Audit: PI Processors, who independently determine the purposes and means of personal information processing activities, are required to conduct PI protection compliance audits.
• Types of Audits: The audits are categorized into self-audits and compulsory audits:
  • Self-Audits: Article 4 of the Draft Measures require the PI Processors to conduct compliance audits on a regular basis.
  • Compulsory Audits: Article 6 of the Draft Measures provide that if a competent regulatory authority identifies significant risks or personal information security incidents, it may require the PI Processor to engage a professional institution to conduct a compliance audit. The Draft Measures further require the PI Processors to provide necessary assistance to professional institutions, conduct the rectification as required by the professional institution, submit the relevant report to regulatory authorities and complete the audits within certain time, etc.
• Frequency of Audits: The frequency of self-audits varies based on the amount of personal information processed by the PI Processor. For example:
  • A PI Processor handling personal information of more than 1 million individuals should conduct the compliance audits at least once a year.
  • Other PI Processors should conduct the compliance audits at least once every two years.
• Scope of Audits: The compliance audit focuses on the requirements outlined in the PIPL and the relevant national standards, which include personal information processing rules, cross-border provision of personal information, protection of personal information subject rights, obligations of PI Processors, and the special responsibilities of large internet platforms.
• Selection of a Professional Institution: Self-audits can be conducted internally by PI Processors or professional institution engaged by PI Processors. However, a professional institution needs to be engaged to conduct the personal information protection compliance audit for compulsory audit.
• Legal Liability for Violation of the Auditing Measures: Any breaches of the Draft Measures should be handled in accordance with the PIPL. Under the PIPL, the PI Processors who fail to perform the relevant obligations around compliance audits may be subject to: confiscation of illegal gains, an order to make corrections,  suspension or termination of the application services for illegal processing of personal information, and a fine of no more than 1 million CNY. If the circumstances are sufficiently serious, a fine of no more than 50 million CNY or no more than 5% of the turnover of the previous year may be imposed, the relevant business may be suspended or terminated, and the business licence or qualification may be revoked. The supervisors and other persons directly responsible for PI Processors who refuse to make corrections may also be fined no less than 10,000 CNY but no more than 100,000 CNY (if the circumstances are sufficiently serious, a fine of no less than 100,000 CNY but no more than 1 million CNY may be imposed, and these personnel may be prohibited from acting as directors, supervisors, senior managers for a certain period of time).

Data Security Technology-Personal Information Protection Compliance Audit Requirements’ (Draft for Comment)

The Draft Standard, together with its five attachments provide comprehensive guidelines for conducting personal information protection compliance audits:

• Scope: The Draft Standard applies to PI Processors conducting personal information protection compliance audits and can also be used as a reference for relevant institutions conducting such compliance audits.
• Principles: Legality, independence, objectivity, comprehensiveness, fairness, and confidentiality.
• Requirements:
  • Conduct audits regularly.
  • Implementation Management: formulate internal management systems; ensure the independence of audits and the resources and authority required for the performance of duties.
  • Evidence Management: PI Processors should ensure that the authenticity, completeness, and validity of the audit is evidenced and meets specific requirements.
• Requirements for Auditors: Auditors should have professional capabilities, independence, objectivity, fairness, and confidentiality.
• Attachments:

• Appendix A: Provides the process of the compliance audits including preparation, implementation, report, rectification and filing management.
• Appendix B: Details the evidence required for a personal information protection compliance audit.
• Appendix C: Describes the content and audit methods of a personal information protection compliance audit.
• Appendix D: Provides a template for personal information protection compliance audit working papers.
• Appendix E: Provides a template for personal information protection compliance audit report.

Observations

The audit requirements under the Draft Standard cover both procedural and evidentiary requirements, the contents of the audit, working papers, and reports. The audit scrutinizes every aspect of the PI Processor's personal information processing activities, from the legal foundation, necessity, rules for data processing, and notifications to the data subject, to any cross-border data transfer, data security measures, personal information protection impact assessment, and responses to data incidents. Even though neither the Draft Measures nor the Draft Standard have not yet been implemented, they offer comprehensive guidance on conducting compliance audits for personal information protection, a matter of significant interest for PI Processors. Given the numerous documents required for a personal information audit, including notices, consents, privacy policies, personal information protection impact assessments and security measures, in preparation for the forthcoming requirements coming into force, it is worth PI Processor's organising these documents if they have not yet undertaken a thorough PIPL compliance. For those who have not conducted a personal information protection impact assessment, which is relevant not only to cross-border data transfer but also to (i) processing sensitive personal information; (ii) using personal information for automated decision-making; (iii) entrusting the processing of personal information; (iv) providing personal information to other PI Processors; (v) disclosing personal information; and (vi) other personal information processing activities that significantly impact personal rights and interests, it is crucial to do so as well.