on 12 February 2025, the Cyberspace Administration of China (CAC) issued the Measures for the Administration of Personal Information Compliance Audit, which will take effect from 1 May 2025. The draft of the audit measures was first released for solicitation of public comment on 3 August 2023, and it took 18 months for the CAC to finalise the audit measures.
In the final version of the audit measures, there are a few notable changes compared with the draft version, which reflect the evolving and more relaxed data protection regulatory stance of the CAC.
The audit measures are detailed rules for the implementation of the general requirements for personal information protection compliance audits stipulated under the Personal Information Protection Law (PIPL) and the Regulations on the Administration of Network Data Security, which took effect from 1 January 2025.
Under the PIPL, each personal information processor (PIP) – which is akin to a data controller under the data privacy laws in the EU and some other jurisdictions – has a statutory obligation to conduct a personal information compliance audit periodically (article 54 of the PIPL).
Where any considerable risk is found in the personal information activity of a PIP or any personal information security incident is found with a PIP, the relevant data protection authority in China, such as the CAC, may require such PIP to engage a professional institution to conduct an audit (article 64 of the PIPL).
Article 27 of the Network Data Security Regulations requires each network data processor (a concept that can be considered almost equivalent to the PIP, where only personal information but not other data is concerned) to conduct an audit periodically, either by itself or by engaging a professional institution to do the same.
The PIPL, the Network Data Security Regulations and other laws and regulations have imposed quite a large number of data protection obligations on PIPs.
Obviously, the CAC does not, and will never, have sufficient resources and bandwidth to supervise all PIPs’ personal information processing activities. By establishing and rolling out the audit requirements, the CAC will be able to leverage social resources (whether PIPs themselves, or the professional institutions engaged by them) to exert a more effective mandate on PIPs for ongoing compliance of personal information processing activities with applicable laws and regulations.
Recommendations
The audit measures do not stipulate how often a PIP processing no more than 10 million individuals’ personal information should conduct the audit, or when the first audit should be initiated and completed. Therefore, even after 1 May 2025, an immediate audit would not be mandatory for a PIP.
Further guidance, including a recommended national standard, is still expected. PIPs in China may consider temporarily holding off the formal commencement of the audit, while keeping abreast of the regulatory development and getting prepared for a comprehensive audit.
However, preparation can begin now. PIPs processing large amounts of personal information should use this time to conduct data mapping and inventory to assess:
-
- The total number of individuals in China whose personal information is processed by it; and
- The exact business scenarios involving the processing of personal information.
If a PIP is likely to meet the audit threshold, or anticipates security risks, early planning and risk assessments may help mitigate compliance issues. Taking proactive steps could reduce the likelihood of being required to conduct an audit by authorities, and prevent major non-compliance findings.
PIPs that process more than 10 million individuals’ personal information should plan for periodical audits, ideally completing them within two years after the audit measures take effect.
Beyond compliance, audits could also have profound business implications.
Regulators may request audit evidence to demonstrate its compliance with the data protection and data security laws and regulations. PIPs receiving personal information from others may also need to prove compliance to business partners. Although some flexibility exists, PIPs should not take the audit requirements lightly, as compliance can impact regulatory scrutiny and business operations.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Howard Wu (Shanghai) at howard.wu@bakermckenzie.com
