China Publishes Draft Rules for Personal Information Protection Compliance Audits

China Publishes Draft Rules for Personal Information Protection Compliance Audits

Client Alert

Authors

The Cyberspace Administration of China (“CAC”) on August 3, 2023 published the draft Administrative Measures for Personal Information Protection Compliance Audits (“draft Measures”) for public comment through September 2, 2023.1 The draft Measures, if adopted in their current form, would serve as a guideline to implement and manage compliance audits for personal information processors (PI Processors) required under the Personal Information Protection Law (“PIPL”). 

Under the PIPL, a PI Processor is defined as “entities and individuals that independently determine the purpose and method of PI processing activities”.  PI Processor here refers generally to domestic entities or individuals.  PI Processors are obligated to either (i) regularly conduct compliance audits on its handling of personal information (PIPL, Article 54), or (ii) if CAC or other relevant departments find that there are high risks in PI processing activities or if PI security incidents have occurred, engage a specialized agency to conduct a compliance audit on its PI processing activities (PIPL, Article 64).  We hereunder refer to the first compliance audit as a “Regular Audit”, and to the second compliance audit as a “Mandated Audit”.

The draft Measures consist of 16 articles which address the questions of audit subject, audit frequency and auditor identity.

A PI Processor processing PI of more than one million individuals would be required to conduct a compliance audit at least once a year; all other PI Processors would be required to conduct a compliance audit at least once every two years (Article 4).  This means that even small PI Processors would be required to conduct biennial compliance audits.  Note that in the context of data export, a data processor processing PI of more than one million individuals is subject to a CAC-led data security assessment.

A voluntary Regular Audit at the abovementioned frequency may be conducted by either an internal team or third-party specialized institution (Article 5).  A Mandated Audit must be conducted by a specialized external institution (Article 6).  Such Mandated Audit must be completed within 90 working days, subject to potential extension, after the applicable authority issues an audit requirement, and an audit report from the specialized institution must be submitted to the same authority (Articles 9-10).  The PI Processor being audited shall follow the advice of the specialized institution with respect to any corrective action, and report back to the applicable authority on the corrective action it has taken following verification by the specialized external institution (Article 11).

According to the draft Measures, CAC together with the Ministry of Public Security and other relevant State Council departments will issue and maintain a catalogue of specialized compliance audit institutions subject to annual evaluation and adjustments from time to time (Article 13), and no such specialized institution may conduct a compliance audit of the same party more than three times in a row (Article 12).  Such catalogue has yet to be issued.

The sixteen articles of the draft Measures say very little about the subject matter of the audits, but the 31 Reference Points for PI Protection Compliance Audit (“Reference Points”) appended to the draft Measures would outline the key points and benchmarks which a PI protection compliance audit would target, including the audit of data exports (Sections 15-16).  For example, the audit would focus on whether appropriate channels have been followed by PI Processors to export PI (a CAC-led security assessment if certain thresholds are crossed, certification by specialized agencies and standard contracts); if PI has been provided to overseas judicial and law enforcement agencies without pre-approval from Chinese authorities; and if appropriate measures have been taken to ensure that the overseas recipient of PI maintains the same standard of PI protection required under the PIPL.  The Reference Points do not distinguish between a Regular Audit and a Mandated Audit.

Authors

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.