Aug 9, 2023
On 3 August 2023, the Cyberspace Administration of China (“CAC”) released the Administrative Measures for Personal Information Protection Compliance Audits (Draft for Comment) (《个人信息保护合规审理管理办法（征求意见稿）》) (“Draft Measures”), which are open for public comment until 2 September 2023. The Draft Measures are being issued to implement the general compliance audit requirements under Articles 54 and 64 of the PRC Personal Information Protection Law (“PRC PIPL”).
Until now, a number of questions pertaining to such audits were unclear, such as the frequency of the audit, who must perform it, whether it should be filed with authorities, etc. All of these questions have been addressed under the Draft Measures, which provide welcomed guidance on the PRC PIPL, while also opening up a few new areas of uncertainty.
Compliance Requirements under the PRC PIPL
As mentioned, the Draft Measures are intended to clarify the compliance audit requirements under Articles 54 and 64 of the PRC PIPL. Those articles provide that:
(a) a personal information (“PI”) handler must audit its compliance with PRC laws and regulations on a regular basis (“Regular Compliance Audit”); and
(b) where PRC regulators (in the performance of their duties) discover considerable risks in a PI handler’s PI processing activities or the occurrence of a security incident, they may request such PI handler to engage a third-party professional institution to carry out a compliance audit on its PI processing activities (“Regulator-Initiated Compliance Audit”).
The Draft Measures provide detailed rules and requirements on how these two types of compliance audits should be conducted.
Regular Compliance Audits
How “regular” are Regular Compliance Audits? It depends on the volume of PI that a PI handler handles. For PI handlers processing the PI of more than 1 million individuals, a Regular Compliance Audit must be carried out at least once per year. For all other PI handlers, a Regular Compliance Audit must be conducted at least once every two years.
A Regular Compliance Audit can be carried out by a PI handler itself or by a third-party professional institution engaged by the PI handler. Unlike with Regulator-Initiated Compliance Audits, the Draft Measures are silent on when Regular Compliance Audits must be completed by, and whether the Regular Compliance Audits reports must be filed with PRC regulators.
Regulator-Initiated Compliance Audits
The Draft Measures contain stricter rules for Regulator-Initiated Compliance Audits. In particular:
Requirements on Professional Institutions
The Draft Measures stipulate that the third-party professional institutions that conduct Regulator-Initiated Compliance Audits will be “independent” and “objective”. To this end, professional institutions will enjoy certain statutory powers when conducting Regulator Initiated Compliance Audits, such as the power to request relevant documents, to access the premises where PI is processed, to observe PI processing activities, to investigate business activities and information systems involved in PI processing, to review and obtain data related to PI processing, and to interview relevant personnel involved in the processing of PI.
To better ensure independence, a professional institution is not permitted to carry out more than three consecutive compliance audits for the same audit subject. However, it is currently unclear what constitutes an “audit subject” and if it is different from a PI handler.
The Draft Measures also provide that the CAC will work with public security organs and other government authorities to create a list of recommended professional institutions that PI handlers will be encouraged to select from for compliance audit activities. The recommended institutions will be evaluated and assessed annually, and the recommendation list will be adjusted accordingly.
The List of Key Reference Points: A Valuable Resource
In an appendix, the Draft Measures contain a list of key points to be covered when carrying out compliance audits. These points are derived from the requirements of the PRC PIPL and other laws and regulations. They are lengthy (longer than the Draft Measures itself), fairly detailed, and will be a valuable resource for any in-house teams seeking to develop their own Regular Compliance Audit systems. Some key areas include:
Legal Consequences of Failing to Comply with Compliance Audit Requirements
Failing to comply with the compliance audit requirements will result in a PI handler being subject to the penalties described under the PRC PIPL. As there are no specific penalties for failing to comply with the compliance audit requirements under the PRC PIPL, the general penalty rules under the PRC PIPL will likely apply. These penalties include orders to adopt rectification measures, warnings, and suspension or termination of any online systems or applications used to unlawfully process PI. Additionally, in cases where rectification measures are not adopted as ordered, the PI handler could be subject to a fine of up to RMB 1 million, and any person in charge or otherwise directly liable for the violation could be fined between RMB 10,000 and RMB 100,000. In extremely serious cases, the penalty imposed on PI handlers could be up to RMB 50 million or 5% of the PI handler’s revenue in the preceding year.
The Draft Measures also address violations by professional institutions. In particular, if a professional institution issues a false or inaccurate report, the PI handler and related parties may submit a complaint to the relevant PRC regulators. If the complaint is verified, the professional institution may be permanently banned from being included in the catalog of recommended professional institutions.
The Draft Measures provide welcomed guidance on the compliance audit requirements under the PRC PIPL. PI handlers now have clarity on when to conduct Regular Compliance Audits and how to handle a notice from PRC regulators to undertake a Regulator-Initiated Compliance Audit. Furthermore, PI handlers now have a detailed resource – the key reference points – to help them develop their own PI compliance audits.
However, as the Draft Measures are still subject to public comment, we expect further clarifications on a few areas, such as the provisions on Regulator-Initiated Compliance Audits. For instance, the Draft Measures are currently silent on what would happen if the 90-day deadline is missed due to delays caused by a professional institution. In addition, the Draft Measures simply indicate that a PI handler must implement the suggestions of a professional institution – there is little flexibility for a PI handler if the suggestions provided by a professional institution are impractical or unrealistic. Further clarification or modifications to the Draft Measures to address these and other issues would be welcomed following the comment period.
 Under the PRC PIPL, “PI handler” is defined as “any individual or organization that independently determines the purpose and manner of collecting, storing, using, processing, transferring, providing, publishing, or deleting personal information”.
 See Article 54 of the PRC PIPL.
 See Article 64 of the PRC PIPL.