What You Need to Know about China’s New Personal Information Audit Requirements

Article 54 of the Personal Information Protection Law of the People’s Republic of China (“PIPL”) necessitates audits of Personal Information (“PI”) processing activities to be conducted by Personal Information Processors (“PI Processor”, similar to “controller” under the GDPR). However, how such audits should be conducted remained unclear until recently. On August 3, 2023, the Cyberspace Administration of China (“CAC”) issued the draft Administrative Measures for Personal Information Protection Compliance Audit (“Draft Measures”), providing a clear roadmap on how to navigate data audits for organisations. 

Background introduction

As a systematic process to examine and evaluate an organisation’s PI processing activities, a Personal Information Protection Compliance Audit (“PI Audit”) assumes a pivotal role in mitigating compliance risks and fortifying data governance practices within organisations. According to the Draft Measures, a PI Audit refers to the supervision activities of reviewing and evaluating whether the PI processing activities conducted by PI Processors comply with laws and administrative regulations. However, it is our understanding that other non-administrative level regulations, such as the department regulations issued by the CAC, may also be considered to ensure PI processing activities are trustworthy, secure, and compliant.

The Draft Measures sets forth comprehensive guidelines on several critical issues to initiate and complete PI Audits. These include specifying the subjects obligated to conduct PI Audits, defining different types of PI Audits, and establishing the frequency at which PI Audits should be performed. Additionally, the Draft Measures includes an Annex that presents a list of obligations that PI Processors should consider when conducting PI Audits. In this article, we share our observations and interpretations of the Draft Measures and provide a detailed checklist of requirements for PI Processors’ reference.

Key provisions and observations

I. Who should audit: the PI Processor

The Draft Measures sets forth comprehensive guidelines on the subjects, i.e., PI Processors who independently determine the purposes and means of PI processing activities, that are obliged to conduct PI Audits. Consequently, entrusted parties who solely engage in PI processing activities under the instructions of PI Processors, are not obligated to implement PI Audits.

In cases where organisations assume the role of PI Processor in certain scenarios and are the entrusted parties in others, they are only required to conduct PI Audits for activities performed as a PI Processor. However, this does not suggest the entrusted parties are unsupervised. In such scenarios, the PI Processor assumes the responsibility of conducting the audit, while the entrusted parties are required to provide assistance to the PI Processor in fulfilling their obligations under the PIPL (Article 59 of the PIPL). The arrangement ensures that PI processing activities are not audited repeatedly. To ensure smooth cooperation between the PI Processors and the entrusted parties, it is recommended to include a clause in the data protection agreements executed by the PI Processors and entrusted parties, stipulating the obligations to be imposed on the entrusted parties to assist the PI Processors in conducting PI Audits

Notably, Article 58 of the PIPL imposes additional obligations on operators of large-scale Internet platforms, including establishing an independent body primarily composed of external members to supervise their PI protection practices and publishing social responsibility reports on PI protection on a regular basis, among other requirements. To provide further guidance and support to these operators in performing their obligations, the Draft Measures presents supplementary requirements in the Annex.

II. How to audit: two ways to trigger

A. PI Audits initiated by the PI Processor

According to the Draft Measures, a PI Processor shall regularly conduct PI Audits. The audits could be carried out by either the PI Processor itself or an entrusted professional institution.

It should be noted that in the case of joint processing, each joint PI Processor bears the responsibility to conduct PI Audits. Multinational companies with multiple subsidiaries in China are required to conduct separate PI Audits by each subsidiary and affiliate acting as a PI Processor (instead of a unified PI Audit within the whole group) even if the PI processing activities of each subsidiary are similar.

As for the timing of audits, based on the number of individuals whose PI is processed by the PI Processor, the Draft Measures specifies two frequency requirements. These requirements are defined by a clear threshold of one-million individuals:

• PI Processors that have processed PI more than one million individuals must undergo a PI Audit at least once a year.
• PI Processors that have processed PI fewer than one million individuals must undergo a PI Audit at least once every two years. (It is important to note that there are no exemptions for small and medium-sized enterprises.)

Nevertheless, the interpretation of “once a year” or “once every two years” requires further clarification. For instance, if in practice, a PI Processor subject to the “once every two years” requirement decides to perform the PI Audit at the end of the second year within one audit cycle and then conducts the next PI Audit at the very beginning of the new cycle, the interval between these two PI Audits could be rather short. Technically speaking, it is possible for such a PI Processor to conduct only one substantive PI Audit to fulfil its obligations under the Draft Measure for four consecutive years. Therefore, interpreting the term "year" mentioned in the Draft Measures as a "calendar year" would be unreasonable. Further clarification is needed to guide PI Processors in conducting meaningful PI Audits that meet the frequency requirements specified in the Draft Measures.

Regardless of the exact interpretation of the interval period, the Draft Measures indicates the normalisation of PI Audits for PI Processors. Consequently, PI Processors will need to review their organisational structure and focus on the internal compliance construction to ensure their practice is in line with the Draft Measures and the PIPL.

B. PI Audit requested by the Supervisory Authorities

According to Article 64 of the PIPL, if departments fulfilling PI protection duties and responsibilities (“Supervisory Authorities”, including the CAC), while performing their duties, discover that there are risks in PI processing activities or a PI security incident has occurred, they may require the PI Processor to engage a professional institution to conduct a PI Audit. It should be noted that if the PI Audit is requested by the Supervisory Authorities, PI Processors are not allowed to conduct the audit on their own and must select a third-party organisation for PI Audit purposes.

Such PI Audits typically must be accomplished within 90 days, and an extension may be granted with the Supervisory Authorities’ approval in more intricate cases. Once the PI Audit is completed, the PI Processor shall promptly submit the audit report to the Supervisory Authorities. The report should include signatures from both the responsible persons of the PI Audit and the third-party professional institution, and the seal of the professional institution should also be affixed to the final report.

Since the audit report will be submitted to and reviewed by the Supervisory Authorities, any prior non-compliance - particularly in relation to reporting obligations and transparency - will be easily detected. In light of this, it is strongly recommended that PI Processors prioritize the following obligations:

• Preparing PIPL-compliant privacy policies and obtaining valid consent, especially separate consent
• Applying for the data export security assessment to the CAC for data export activities
• Conducting the Personal Information Protection Impact Assessment (“PIPIA”), signing the Standard Contract for PI Export (“SCC”), and filing the SCC and PIPIA report to the provincial CAC for PI export activities that do not necessitate a data export security assessment.
• Conducting the algorithms filing on CAC’s online filing systems and submitting an algorithms security assessment report.

III. Comparison with other jurisdictions

Apart from China, several national data protection authorities, such as France’s National Commission on Informatics and Liberty (“CNIL”) or the UK’s Information Commissioner’s Office (“ICO”), have issued guidelines regarding compliance audit for PI protection. Notably, we have identified similarities among these audit rules across different jurisdictions.

On one hand, these audit rules share common purposes, which is to ensure the existence of appropriate policies and procedures, verify their implementation, assess the adequacy of controls, detect breaches or potential breaches, and recommend necessary changes to controls, policies, and procedures. On the other hand, the scope of these audit rules typically covers a whole range of processing activities from collection, utilization, sharing, to storage, deletion, etc.

Regardless of the similarities reflected in the audit rules in different jurisdictions, the specific requirements outlined in the newly released Draft Measures in China differ from those in the audit rules of other jurisdictions. This is because the Draft Measures was formulated pursuant to China’s PIPL, which imposes unique and distinct requirements and perspectives concerning PI protection, including conducting the PIPIA, obtaining separate consent, and addressing the special PI rights of deceased individuals. Therefore, data audits based on the GDPR or regulations in other jurisdictions cannot replace PI Audits conducted under the PIPL. For PI Processors who are subject to the PIPL and have conducted PI Audits in other jurisdictions, it is advisable to closely examine the checkpoints provided below to ensure compliance with the requirements of relevant Chinese laws.

IV. Liability

According to Article 15 of the Draft Measures, individuals who violate the provisions of the Draft Measures shall be held liable in accordance with the PIPL and other applicable laws and regulations. In certain cases, those found to have violated the provisions may also face criminal liability. To avoid or mitigate potential liabilities incurred due to non-compliance practices, we have included a checklist for companies’ reference at the end of this article.

Conclusion

The primary objective of PI Audits is to enable organisations to effectively identify and control risks to prevent data protection breaches, and more critically, safeguard the interests of PI subjects during PI processing activities. The Draft Measures provides valuable and practical guidance for enterprises to fulfil their obligations under the PIPL. It is important to note that the Draft Measures has not yet come into effect, and we would advise enterprises to closely monitor the development of this regulation.

Checklist For A PI Audit