On 3 August 2023, the Cyberspace Administration of China (“CAC”) released the Administrative Measures for Personal Information Protection Compliance Audits (Draft for Comment) (《个人信息保护合规审理管理办法(征求意见稿)》) (“Draft Measures”), which are open for public comment until 2 September 2023. The Draft Measures are being issued to implement the general compliance audit requirements under Articles 54 and 64 of the PRC Personal Information Protection Law (“PRC PIPL”).
Until now, a number of questions pertaining to such audits were unclear, such as the frequency of the audit, who must perform it, whether it should be filed with authorities, etc. All of these questions have been addressed under the Draft Measures, which provide welcomed guidance on the PRC PIPL, while also opening up a few new areas of uncertainty.
Compliance Requirements under the PRC PIPL
As mentioned, the Draft Measures are intended to clarify the compliance audit requirements under Articles 54 and 64 of the PRC PIPL. Those articles provide that:
(a) a personal information (“PI”) handler[1] must audit its compliance with PRC laws and regulations on a regular basis (“Regular Compliance Audit”);[2] and
(b) where PRC regulators (in the performance of their duties) discover considerable risks in a PI handler’s PI processing activities or the occurrence of a security incident, they may request such PI handler to engage a third-party professional institution to carry out a compliance audit on its PI processing activities (“Regulator-Initiated Compliance Audit”).[3]
The Draft Measures provide detailed rules and requirements on how these two types of compliance audits should be conducted.
Regular Compliance Audits
How “regular” are Regular Compliance Audits? It depends on the volume of PI that a PI handler handles. For PI handlers processing the PI of more than 1 million individuals, a Regular Compliance Audit must be carried out at least once per year. For all other PI handlers, a Regular Compliance Audit must be conducted at least once every two years.
A Regular Compliance Audit can be carried out by a PI handler itself or by a third-party professional institution engaged by the PI handler. Unlike with Regulator-Initiated Compliance Audits, the Draft Measures are silent on when Regular Compliance Audits must be completed by, and whether the Regular Compliance Audits reports must be filed with PRC regulators.
Regulator-Initiated Compliance Audits
The Draft Measures contain stricter rules for Regulator-Initiated Compliance Audits. In particular:
- Professional Institution Engagement. Upon receiving a notice from the PRC regulator(s), the PI handler must engage a professional institution to carry out a Regulator-Initiated Compliance Audit. There is no specific timeline for engaging a professional institution – the Draft Measures only indicate that it must be done promptly.
- Deadline to Complete the Audit. Once engaged, the professional institution must complete the Regulator-Initiated Compliance Audit within 90 business days. Although this deadline can be extended upon the approval of PRC regulators if the situation is complex, the current version of the Draft Measures does not specify when the calculation of the 90 business days should commence. For instance, should the 90 business days be calculated from the date of the notice from the PRC regulators, the date on which a professional institution is engaged, or from the date on which the professional institution commences its auditing work?
- Report Filing. Once a Regulator-Initiated Compliance Audit is completed, the professional institution should issue an audit report. The audit repot must be signed by the individual in charge of the compliance audit and the individual in charge of the professional institution, and must also be affixed with the professional institution’s company chop.
- Rectification Requirement. The PI handler is also required to implement the rectification suggestions issued by the engaged professional institution, and such rectification must be verified by the engaged professional institutions and then filed with the applicable PRC regulator.