On February 14, 2025, the Cyberspace Administration of China ("CAC") finalized the "Personal Information Protection Compliance Audit Measures" ("Audit Measures"), which refines the draft version released on August 3, 2023 ("Draft Audit Measures") and will come into effect on May 1, 2025.
Chapter 1 - Background of the Audit Measures
Prior to promulgation of the Audit Measures, Chinese laws and regulations already established some requirements for personal information protection audits ("Data Audit"):
- Personal Information Protection Law of China ("PIPL") –
- Article 54 – personal information handler (i.e., organisations or individuals that are able to independently determine the purpose and means of processing personal information) must regularly conduct Data Audits to ensure adherence to laws and administrative regulations ("Regular Audit");
- Article 64 – authorities responsible for personal information protection, upon discovering significant risks or incidents related to personal information activities, may order the personal information handler to engage a professional institution to conduct Data Audits ("Authority-Instigated Audit").
- Regulations on Network Data Security Management ("NDSM") –
- Article 27 - network data handlers (i.e., organizations or individuals that are able to independently determine the purpose and means of processing network data) must regularly conduct Data Audits, either by themselves or through professional institutions, to ensure adherence to laws and administrative regulations.
The existing regulatory regime clearly outlines two scenarios for conducting Data Audit, i.e., the Regular Audit and the Authority-Instigated Audit. On this basis, the Audit Measures provide further guidance on the conduct of Data Audits, the selection of professional institutions to conduct Data Audits, the frequency of audits, and the obligations of personal information handlers and professional institutions during Data Audits. The aim is to offer systematic and operational standards for personal information handlers to carry out Data Audits, thereby promoting legal and compliant handling of personal information.
Chapter 2 - Scope of Application
The Audit Measures explicitly apply to Data Audits conducted by personal information handlers within the territory of China. It remains unclear whether offshore personal information handlers that are subject to the PIPL’s extra-territorial application would also be required to complete Data Audits in accordance with the Audit Measures, although they have been required to conduct Regular Audits under PIPL.
Chapter 3 - When Do Personal Information Handlers Need to Conduct Data Audits?
Regular Data Audits
- Further to the PIPL and NDSM, the Audit Measures further specify that personal information handlers are obliged to conduct a Regular Audit under certain circumstances (“Mandatory Regular Audit”).
- Processing of over ten million China-based individuals' information. Compared with the Draft Audit Measures, the threshold and frequency for conducting the Mandatory Regular Audit have been raised from processing over one million China-based individuals' information at least once a year to processing over ten million China-based individuals' information at least once every two years. This echoes the NDSM, which also set forth strengthened data protection obligations for network data handlers processing over ten million China-based individuals' information, i.e., appointing a network data security officer and establishing a dedicated management institution responsible for security systems, procedures, risk monitoring, emergency drills, and handling complaints; implementing and reporting data disposal plans and recipient's details during significant changes like mergers, divisions, dissolution or bankruptcy to relevant authorities.
- Processing of less than ten million China-based individuals' information. Accordingly, personal information handlers processing less than ten million China-based individuals' information are not obliged to conduct the Mandatory Regular Audit every two years and are given some flexibility for performing the Regular Audit (e.g., criteria for initiating Regular Audit and frequencies), aiming to balance compliance burdens with operational efficiency. That said, such flexibility does not exempt the said personal information handlers from Data Audit obligations under other laws or administrative regulations. These personal information handlers should reasonably determine the frequency of Regular Audit based on their own conditions, pursuant to the Q&A Session regarding the Audit Measures. Also, the Regulations on the Protection of Minors in Cyberspace require personal information handlers processing minors' personal information to implement Data Audits annually.
- The Regular Audit could be conducted either by personal information handlers themselves or through professional institutions.
Authority-Instigated Audit
- The Audit Measures clarify three specific scenarios where the Authority-Instigated Audit will apply –
- where there are significant risks in personal information processing activities, e.g., serious impact on personal rights and interests or severely inadequate security measures;
- where there are personal information processing activities that may infringe on the rights of numerous individuals; and
- where there are personal information incidents leading to the leakage, tampering, loss, or destruction of personal information for over 1 million individuals or of sensitive personal information for over 100,000 individuals.
- These scenarios triggering the Authority-Instigated Audit essentially align with the compliance obligations stipulated in the PIPL and the NDSM. Meanwhile, the Audit Measures also aim to prevent redundancy and reduce compliance costs by stating that an Authority-Instigated Audit shall not be repeatedly required for the same incident or risk.
- Personal information handlers shall, by engaging a qualified professional institution at their own expense, complete the Authority-Instigated Audit within the prescribed time unless otherwise extended, and submit the Data Audit reports to relevant authorities.
- For issues discovered during the Authority-Instigated Audit, personal information handlers shall rectify as required by the authority and formulate and submit a rectification report within 15 working days after completing the rectification. This aims to urge personal information handlers to promptly address and mitigate risks following the Authority-Instigated Audit.
Chapter 4 - Specific Requirements
Under the Audit Measures, personal information handlers processing the personal information of over 1 million individuals must designate a personal information protection officer responsible for compliance audits. It is still unclear whether this is aimed to clarify the threshold for the requirement to appoint a personal information protection officer (i.e., the DPO) under the PIPL.
Additionally, the Audit Measures echo the PIPL by proposing an independent oversight mechanism for personal information handlers providing significant internet platform services with large user bases and complex business types. These handlers must establish an independent body, mainly consisting of external members, to oversee personal information protection compliance audits, regardless of whether the audit is conducted internally or by a professional institution.
Chapter 5 - Data Audit by the Professional Institutions
According to the Audit Measures, personal information handlers are required to engage professional institutions for Authority-Instigated Audits and have the option of whether or not to engage such institutions for Regular Audits. The Audit Measures set forth specific conditions for the operation and audit activities of the professional institutions providing Data Audit services in China.
- Competence. Professional institutions should possess the capability to conduct Data Audits, including appropriate auditing personnel, venues, facilities, and financial resources. Additionally, the Audit Measures aim to implement a certification and accreditation mechanism of professional institutions providing Data Audit services, to guide personal information handlers in selecting professionally competent institutions.
- Independence. The same professional institution, its affiliated institutions, and the same compliance audit leader shall not conduct Data Audits for the same audit target more than three consecutive times.
- Non-delegation. Professional institutions are prohibited from subcontracting Data Audits to other entities.
- Confidentiality. Professional institutions shall maintain confidentiality regarding personal information, trade secrets, and confidential business information obtained during the audit, and not use the information acquired from the audit for unrelated purposes or disclosure to unauthorized parties. Professional institutions are also required to timely delete relevant information after completing the compliance audit work.
Chapter 6 - Key Points of Data Audit
The Audit Measures provide the Guidelines for Personal Information Protection Data Audits ("Audit Guidelines") as an attachment for personal information handlers to follow when conducting the Data Audit, either internally or by a professional institution.
The Audit Guidelines summarize key check points from relevant laws and administrative regulations on personal information protection, e.g., PIPL, NDSM, the Data Security Law, the Cybersecurity Law, etc. They list twenty-six audit items, including the legality basis of personal information processing activities, the processing rules, joint processing, entrusted processing, the transfer to other personal information handlers, cross-border transfer, automated decision-making processing, the processing of sensitive personal information, etc.
Whereas the Audit Measures do not provide detailed procedural requirements for conducting Data Audits, the draft non-binding national standard Data Security Technology: Personal Information Protection Compliance Audit Requirements, issued on July 12, 2024, provides a good reference for personal information handlers to follow. It includes guidelines for the personal information protection compliance audit principles, implementation requirements, auditor standards, audit processes, and evidence management, as well as templates for audits and reports.
Next Steps
With the upcoming implementation of the Audit Measures, it's crucial for enterprises and organizations in China to verify their standing against the established thresholds under the Audit Measures and start the necessary actions by referring to the Audit Guidelines without delay. Even those that do not meet the thresholds thereunder, should conduct a thorough review of their personal information compliance program against the Audit Guidelines to help timely identify and address any non-compliance issues or security gaps. This would effectively prevent the Authority-Instigated Audits.
