On August 3, 2023, the Cyberspace Administration of China (“CAC”) issued the Administrative Measures of Compliance Audit on Personal Information Protection (Draft for Public Comments) (“Draft Audit Measures”) to tighten the protection of personal information.
A. Who should conduct the compliance audit?
According to the Draft Audit Measures, any personal information processor in China should conduct the compliance audit on its personal information processing activities.
Different from the General Data Protection Regulation (“GDPR”) of EU, there is no such a conceptual difference between “processor” and “controller” under Chinese law. Both of them are “personal information processors” under Chinese law, i.e., any entity that collects, stores, shares, transfers or otherwise processes personal information will be deemed a personal information processor, even if it processes personal information upon other’s instructions.
B. What are the legal consequences for the failure to conduct the compliance audit?
A personal information processor that fails to conduct the compliance audit may be subject to administrative penalties under the Personal Information Protection Law of China (“PIPL”) or even criminal liabilities if it constitutes a criminal offense.
C. How frequent should the compliance audit be?
Compliance audit initiated by personal information processors: A personal information processor that processes more than 1 million individuals’ personal information should conduct compliance audit at least once per year. Other personal information processors should conduct compliance audit at least once per two years.
Compliance audit required by CAC: In addition, CAC may require a personal information processor to conduct compliance audit, if it finds out that the personal information processor’s processing activities have relatively high risks or there is a security incident. However, there is no clear definition about what risks are “relatively high risks”.
D. Who can conduct the compliance audit?
If the compliance audit is initiated by the personal information processor, it can either be conducted by the personal information processor itself or a professional institution engaged by the personal information processor.
If the compliance audit is required by CAC, the personal information processor should engage a professional institution to conduct the compliance audit.
E. Who can be the professional institutions for compliance audit?
CAC, together with the public security authority and other related authorities, will issue a list of recommended professional institutions for compliance audit. Such professional institutions will be reviewed annually, and the list may be adjusted when needed.
Personal information processors are encouraged to engage professional institutions on the above list. The Draft Audit Measures do not explicitly exclude professional institutions that are not on the list.
F. Are there special requirements if the compliance audit is required by CAC?
If the audit compliance is required by CAC, it must be conducted by a professional institution and cannot be conducted by the personal information processor itself.
The personal information processor must ensure the professional institution has proper access to the documents, materials, premises, personnel, IT systems and data processing activities for the compliance audit.
The compliance audit must be completed within 90 working days unless a proper extension has been approved by CAC.
The audit report must be signed by the person in charge of the compliance audit and the person in charge of the professional institution and affixed with the chop of the professional institution. The audit report should also be submitted to CAC upon the completion of the audit.
The personal information processor should take rectification measures proposed by the professional institution and submit a rectification report to CAC after being verified by the professional institution.
G. Are there special requirements on the professional institutions?
The professional institution should keep independent and objective in compliance audit and cannot consecutively conduct compliance audit for the same personal information processor three times in total.
The professional institution cannot subcontract to a third party for compliance audit.
The professional institution should keep the information it collects from compliance audit confidential, cannot use it for any other purpose than the compliance audit, and should take security measures to safeguard the data security.
The professional institution should not disturb personal information processors’ normal operation.
Personal information processors and related parties may report to CAC for the professional institution’s misconducts, who may be permanently excluded from the recommended list, if its misconducts are substantiated.
H. What are the focuses of the compliance audit?
The compliance audit is quite comprehensive and covers almost all aspects of processing activities. Its focuses can be summarized as follows:
a. Details of personal information processing activities, e.g., the legal basis for processing, disclosure and notification of processing rules, sharing and entrusted processing of personal information, automated processing, collection of personal images, public disclosure of personal information, processing of sensitive personal information, and collection of minors’ personal information;
b. Outbound transfer of personal information;
c. Protection measures for individuals’ statutory rights;
d. Personal information processors’ internal policies and security measures; and
e. Large-scale internet platform operators’ personal information processing activities and the implementation of their special protection measures.