Navigating new horizons: China's personal information protection compliance audits

Prior to promulgation of the Audit Measures, Chinese laws and regulations already established some requirements for personal information protection audits ("Data Audit"): 

• Personal Information Protection Law of China ("PIPL") – 
  • Article 54 – personal information handler (i.e., organisations or individuals that are able to independently determine the purpose and means of processing personal information) must regularly conduct Data Audits to ensure adherence to laws and administrative regulations ("Regular Audit"); 
  • Article 64 – authorities responsible for personal information protection, upon discovering significant risks or incidents related to personal information activities, may order the personal information handler to engage a professional institution to conduct Data Audits ("Authority-Instigated Audit").
• Regulations on Network Data Security Management ("NDSM") – 
  • Article 27 - network data handlers (i.e., organizations or individuals that are able to independently determine the purpose and means of processing network data) must regularly conduct Data Audits, either by themselves or through professional institutions, to ensure adherence to laws and administrative regulations. 

The existing regulatory regime clearly outlines two scenarios for conducting Data Audit, i.e., the Regular Audit and the Authority-Instigated Audit. On this basis, the Audit Measures provide further guidance on the conduct of Data Audits, the selection of professional institutions to conduct Data Audits, the frequency of audits, and the obligations of personal information handlers and professional institutions during Data Audits. The aim is to offer systematic and operational standards for personal information handlers to carry out Data Audits, thereby promoting legal and compliant handling of personal information. 

The Audit Measures explicitly apply to Data Audits conducted by personal information handlers within the territory of China. It remains unclear whether offshore personal information handlers that are subject to the PIPL’s extra-territorial application would also be required to complete Data Audits in accordance with the Audit Measures, although they have been required to conduct Regular Audits under PIPL. 

Regular Data Audits 

• Further to the PIPL and NDSM, the Audit Measures further specify that personal information handlers are obliged to conduct a Regular Audit under certain circumstances (“Mandatory Regular Audit”). 
  • Processing of over ten million China-based individuals' information. Compared with the Draft Audit Measures, the threshold and frequency for conducting the Mandatory Regular Audit have been raised from processing over one million China-based individuals' information at least once a year to processing over ten million China-based individuals' information at least once every two years. This echoes the NDSM, which also set forth strengthened data protection obligations for network data handlers processing over ten million China-based individuals' information, i.e., appointing a network data security officer and establishing a dedicated management institution responsible for security systems, procedures, risk monitoring, emergency drills, and handling complaints; implementing and reporting data disposal plans and recipient's details during significant changes like mergers, divisions, dissolution or bankruptcy to relevant authorities. 
  • Processing of less than ten million China-based individuals' information. Accordingly, personal information handlers processing less than ten million China-based individuals' information are not obliged to conduct the Mandatory Regular Audit every two years and are given some flexibility for performing the Regular Audit (e.g., criteria for initiating Regular Audit and frequencies), aiming to balance compliance burdens with operational efficiency. That said, such flexibility does not exempt the said personal information handlers from Data Audit obligations under other laws or administrative regulations. These personal information handlers should reasonably determine the frequency of Regular Audit based on their own conditions, pursuant to the Q&A Session regarding the Audit Measures. Also, the Regulations on the Protection of Minors in Cyberspace require personal information handlers processing minors' personal information to implement Data Audits annually.
• The Regular Audit could be conducted either by personal information handlers themselves or through professional institutions.

Authority-Instigated Audit 

• The Audit Measures clarify three specific scenarios where the Authority-Instigated Audit will apply – 
  • where there are significant risks in personal information processing activities, e.g., serious impact on personal rights and interests or severely inadequate security measures; 
  • where there are personal information processing activities that may infringe on the rights of numerous individuals; and 
  • where there are personal information incidents leading to the leakage, tampering, loss, or destruction of personal information for over 1 million individuals or of sensitive personal information for over 100,000 individuals.
• These scenarios triggering the Authority-Instigated Audit essentially align with the compliance obligations stipulated in the PIPL and the NDSM. Meanwhile, the Audit Measures also aim to prevent redundancy and reduce compliance costs by stating that an Authority-Instigated Audit shall not be repeatedly required for the same incident or risk. 
• Personal information handlers shall, by engaging a qualified professional institution at their own expense, complete the Authority-Instigated Audit within the prescribed time unless otherwise extended, and submit the Data Audit reports to relevant authorities. 
• For issues discovered during the Authority-Instigated Audit, personal information handlers shall rectify as required by the authority and formulate and submit a rectification report within 15 working days after completing the rectification. This aims to urge personal information handlers to promptly address and mitigate risks following the Authority-Instigated Audit. 

Under the Audit Measures, personal information handlers processing the personal information of over 1 million individuals must designate a personal information protection officer responsible for compliance audits. It is still unclear whether this is aimed to clarify the threshold for the requirement to appoint a personal information protection officer (i.e., the DPO) under the PIPL. 

Additionally, the Audit Measures echo the PIPL by proposing an independent oversight mechanism for personal information handlers providing significant internet platform services with large user bases and complex business types. These handlers must establish an independent body, mainly consisting of external members, to oversee personal information protection compliance audits, regardless of whether the audit is conducted internally or by a professional institution. 

According to the Audit Measures, personal information handlers are required to engage professional institutions for Authority-Instigated Audits and have the option of whether or not to engage such institutions for Regular Audits. The Audit Measures set forth specific conditions for the operation and audit activities of the professional institutions providing Data Audit services in China. 

• Competence. Professional institutions should possess the capability to conduct Data Audits, including appropriate auditing personnel, venues, facilities, and financial resources. Additionally, the Audit Measures aim to implement a certification and accreditation mechanism of professional institutions providing Data Audit services, to guide personal information handlers in selecting professionally competent institutions. 
• Independence. The same professional institution, its affiliated institutions, and the same compliance audit leader shall not conduct Data Audits for the same audit target more than three consecutive times. 
• Non-delegation. Professional institutions are prohibited from subcontracting Data Audits to other entities. 
• Confidentiality. Professional institutions shall maintain confidentiality regarding personal information, trade secrets, and confidential business information obtained during the audit, and not use the information acquired from the audit for unrelated purposes or disclosure to unauthorized parties. Professional institutions are also required to timely delete relevant information after completing the compliance audit work.