Spotlight on China: Time for the Personal Information Protection Compliance Audit

Following the draft Administrative Measures for Personal Information Protection Compliance Audits released in August 2023 for public comments (Draft Version) (see our previous note on the draft version: https://www.herbertsmithfreehills.com/notes/data/2024-posts/Spotlight-on-China--Prepare-for-the-Personal-Information-Protection-Compliance-Audit ), on February 14, 2025, the Cyberspace Administration of China (CAC) issued the formal version of the Personal Information Protection Compliance Audit Management Measures, which was approved on May 20, 2024 and will take effect on May 1, 2025 (Measures).

The Measures aim to regulate compliance audits for personal information protection and safeguard personal information rights.  The Personal Information Protection Compliance Audit Guidelines (the Guidelines) were issued together with the Measures simultaneously, which outline critical areas for review.

The Measures, consisting of 20 articles which address questions of audit subject, audit frequency and auditor identity, will serve as a guideline to implement compliance audits for personal information processors (PI Processors) required under the PRC Personal Information Protection Law (PIPL). 

Application Scope

The Measures apply to PI Processors conducting personal information protection compliance audits within China. However, the Measures do not apply to the personal information protection compliance audit for state organs and organizations authorized by laws and regulations to have the function of managing public affairs.

Audit Scenarios

Self-initiated Audits: PI Processors can conduct audits internally or through a professional institution (Article 3).

Regulatory-Triggered Audits: The Cyberspace Administration of China (CAC) and other competent regulator(Competent Regulators)may require the PI Processor to engage a professional institution to conduct a compliance audit if any of the following circumstances (Article 5):

1. there are significant risks in personal information processing activities, such as serious impact on personal rights and interests or serious lack of security measures.
2. personal information processing activities may infringe upon the rights and interests of a large number of individuals;
3. personal information security incident occurs, resulting in the leakage, alteration, loss, or destruction of the personal information of 1 million or more individuals, or the sensitive personal information of 100,000 or more individual.

The Measures further propose that the PI Processor shall not be repeatedly required to conduct a compliance audit for the same PI security incident or risk.

When required a regulatory-triggered audit, PI Processors shall perform the following obligations:

1. provide necessary support to auditors and bear the necessary audit cost (Article 8);
2. select a professional institution as required, complete the compliance audit within the specified time limit; where the situation is complicated, it may be appropriately extended after reporting to the Competent Regulators for approval (Article 9);
3. Note: 90-day limitation in the Draft was removed from the Measures.
4. submit audit reports to the Competent Regulators and such report shall be signed by the principal responsible person for the professional institution and the person in charge of compliance audit, affixed with the seal of the professional institution (Article 10);
5. Rectify the non-compliance issues as required by the Competent Regulator and submit rectification reports within 15 days post-audit(Article 11).

Note: The personal information processor shall carry out the rectification work in accordance with the requirements of the Competent Regulator, rather than the professional institution's opinion as provided under the Draft. The report shall be submitted to the Competent Regulator directly, the review by the professional institution is no longer needed.

Frequency of Audit:

PI Processors processing data of over 10 million individuals are required to conduct PI protection compliance audits at least once every two years compulsorily (Article 4).

However, the Measures do not specify the calculation standard for "10 million individuals ". For example, in addition to processing personal information as a data controller, when the PI Processor processes personal information as an entrusted processor, whether the amount of these personal information should be included in the calculation scope of "10 million individuals" needs to be further clarified by the regulatory authorities.

Note: this is different from the 2023 Draft, which provided that PI Processors processing personal information of over 1 million individuals are required to conduct a compliance audit at least once a year and other enterprises must conduct an audit at least once every two years.

PI Processors processing data of under 10 million individuals could conduct the compliance audit regularly based on their own circumstances.

Note: do not forget the special audit requirements for the processing of minors' personal information. According to article 37 of the Regulations on the Protection of Minors Online, PI Processors shall conduct an annual compliance audit of processing minors' personal information in compliance with laws and administrative regulations, and promptly report the audit to the regulatory authorities.

Audit Scope

As for the implementation of the audit, the Measures includes the Guidelines for Personal Information Protection Compliance Audit as an annex, specifying key areas for audit review, including: reviewing the legality basis and clarity of personal information processing rules, especially for sensitive and minor-related data; examining cross-border data transfer practices and associated contracts; evaluating mechanisms for protecting individuals' rights, such as deletion requests and rule explanations; and assessing the robustness of internal management systems, security measures, training plans, designated responsible persons, impact assessments, and emergency plans for personal information processors, among others.

Requirements for Professional Institutions

Professional institutions conducting the audits must maintain independence, confidentiality, and data security:

• They must have adequate personnel, facilities, and technical capabilities;
• The same professional institution, along with its affiliates and the same individual responsible for compliance audits, must not conduct personal information protection compliance audits on the same audit subject more than three consecutive times;
• They must safeguard sensitive information obtained during audits and delete it post-audit.
• They cannot subcontract other organizations to conduct the compliance audits.

Special Requirements

PI protection officer:  PI Processors processing the personal information of over 1 million individuals shall designate a personal information protection officer in charge of the compliance audit.

The Measures provides additional requirements on the PI Processors providing important internet platform services, having large number of users and complicated business types:

• There shall be an independent body mainly composed of external members to oversee the situation of personal information protection compliance audit (no matter whether such audit is conducted internally or professional institution)(Article 12)

Note: However, the requirements and criteria for such independent body composed of external members need to be further clarified.  However, TC260 released a draft standards in August 2023, namely: Information security technology－Requirements for large Internet enterprises internal, which provides detailed requirements on external members and procedure requirements on appointment and dismissal of external members.

Enforcement and Penalties

• Competent Regulators will conduct inspections and demand rectification for non-compliance (Article 16).
• Non-compliance with the audit measures may result in penalties under the Personal Information Protection Law and the Regulation on Network Data Security Management, which includes fines and potential suspension of business operations (Article 18).

Observations

Given the imminent implementation of the audit measures, it is advisable for enterprises to check with the thresholder under the Measures and refer to the Guidelines to commence relevant work without delay. Even if the threshold amount of personal information processed is not reached, a comprehensive review of personal information security protection compliance is advisable. This proactive approach can help identify non-compliance issues or security deficiencies in a timely manner, thereby avoiding situations where compliance audits are mandated by regulatory authorities and rectification cannot be completed promptly or may negatively impact business operations.

We are committed to keeping our clients informed about the latest updates on this and provide our assistance on the relevant issues.