º¬Ðß²ÝÉçÇø

In February 2025, the Cyberspace Administration of China (CAC) formally released the Administrative Measures for the Personal Information Protection Compliance Audit, which for the first time systematically establishes a compliance audit system for personal information processing activities.

The measures will come into force on 1 May 2025, marking a new phase in China¡¯s personal information protection regulation, characterised by ¡°proactive compliance plus mandatory audits¡±. For businesses, understanding the necessity of compliance audits, grasping their key points and fully realising their value has become an urgent priority.

Q: Why has a compliance audit for personal information protection become a ¡®must-answer question¡¯ for businesses?

A: Compliance audits have shifted from being optional to mandatory, based on three main necessities.

Legal requirements. According to article 4 of the measures, personal information processors handling data on more than 10 million individuals must conduct compliance audits at least once every two years. Processors below this scale, although not subject to the same mandatory frequency, are still expected to carry out audits regularly. Enterprises failing to meet these obligations may face administrative sanctions such as rectification orders and fines.

In addition, article 5 of the measures clearly stipulates that if a company exhibits significant risk vulnerabilities (for example, lacking adequate security measures), potentially infringes the rights of numerous individuals or experiences a large-scale personal information leak (for instance, affecting more than one million individuals), regulatory authorities may directly require the company to commission a professional agency to carry out an audit.

Urgent need for risk prevention. In recent years, frequent cases of administrative penalties, civil compensations and reputational damage have arisen from data breaches and the improper handling of personal information. A compliance audit conducts a systematic review of the legality of a company¡¯s processing activities, enabling the early identification of risk vulnerabilities and the prevention of serious consequences.

Reflection of corporate social responsibility. Personal information protection has become a core dimension of the ESG (environmental, social and governance) evaluation system for companies. Proactively implementing compliance audits not only demonstrates adherence to the law but also effectively communicates to users, partners and the public the image of a ¡°responsible data processor¡±.

Q: Which enterprises should focus on compliance audit obligations?

A: Firstly, large internet platforms and data-intensive enterprises ¨C namely those handling personal information of more than 10 million individuals, such as e-commerce, social networking and fintech platforms ¨C must undergo mandatory audits every two years.

According to article 12 of the measures, ¡°significant internet platform service providers¡± are also required to establish an external independent supervisory body to review audit outcomes. Cross-border data flow entities, such as companies providing personal information overseas, must additionally comply with article 15 of the Personal Information Protection Compliance Audit Guidelines, which focuses on security assessments for data outbound transfers and standard contract filing.

Enterprises operating in high-risk scenarios ¨C including those handling sensitive personal information (for example, biometric or health data), employing automated decision-making (such as algorithmic recommendations) or installing surveillance equipment in public areas ¨C face heightened regulatory audit requirements due to the significant impact of their activities on individual rights.

Q: What are the core review contents of compliance audits?

A: The guidelines list 27 review items that can be summarised into five core modules.

Legality basis and processing rules. Reviewing whether personal consent was lawfully obtained (for instance, separate or written consent), if the processing objectives and methods are justified and necessary, and whether information regarding retention periods and channels for exercising rights was clearly informed.

Compliance in special scenarios. Ensuring that automated decision-making processes safeguard outcome fairness and offer opt-out options, verifying that impact assessments have been carried out for sensitive information processing with corresponding restrictions applied, and confirming that cross-border data transfers have undergone the requisite security assessments or certifications.

Technical and management measures. Determining if technical measures have been deployed, and if a security incident contingency plan is in place and regularly tested.

Organisational and institutional safeguards. Checking if a chief officer for information protection is designated, internal management systems are established, and staff training is implemented.

User rights responses. Assessing whether a convenient complaints mechanism exists, and if requests by users to access or delete data are addressed promptly.

Q: What substantive benefits can compliance audits bring to enterprises?

A: Compliance audits enable enterprises to manage risks proactively by systematically identifying contractual deficiencies, technical vulnerabilities or management blind spots, thereby preventing minor oversights from causing major penalties.

Audit reports serve as authoritative endorsements of an enterprise¡¯s compliance capabilities, enhancing market trust, particularly in cross-border data collaborations, financing or M&A. The resulting data flow diagrams and access control lists can be directly adopted as standardised templates within an enterprise¡¯s data governance framework, optimising internal management efficiency.

Should a data security incident occur, the audit record can show that the enterprise has exercised due diligence, helping to reduce or exempt it from legal liability while lowering litigation and regulatory costs.

Q: What risks might enterprises face if they refuse or neglect compliance audits?

A: Enterprises may face multiple legal consequences. According to article 18 of the measures, personal information processors and professional organisations that violate compliance audit provisions will be dealt with under the Personal Information Protection Law and the Regulations on the Management of Network Data Security, with criminal liability pursued if applicable.

In cases where management negligence results in serious incidents, users may assert that the enterprise failed to fulfil its responsibilities, establishing fault and seeking compensation. Once regulatory penalty information is officially disclosed, it can erode customer trust, lead to the loss of clients, and attract negative reactions from the capital market, collectively hindering the company¡¯s development.

Cai Liren is a senior partner and Sun Quan is an executive committee member of the cybersecurity and data compliance professional committee at Ronly & Tenwen Partners