Conventus Law

Conventus Law

by

Following the implementation of the Personal Information Protection Law (“PIPL”), the legislative framework governing data protection in China has evolved rapidly over the past three years. The PIPL delineates two types of personal information in relation to compliance audits: “regular self-audits” and “ad hoc audits required by the regulator”. The latter are required when supervisory authorities identify risks in personal information processing activities or when a personal information security incident occurs. 

The requirements for personal information compliance audits are emphasized in various administrative regulations, rules and guidelines. Article 37 of the Regulation on the Protection of Minors in Cyberspace mandates that personal information processors must either conduct their own audits or engage specialized agencies to audit their compliance with laws and administrative regulations in the processing of the personal information of minors on an annual basis and report the audit findings to the cyberspace administration and other authorities in a timely manner. Similarly, the Notice of the Ministry of Industry and Information Technology on Further Improving the Service Capability of Mobile Internet Apps requires App developers and operators to conduct regular compliance audits of their personal information protection measures and their implementation, as a part of their primary responsibilities.

The Cyberspace Administration of China released a draft of the Administrative Measures for Personal Information Compliance Audit (“Draft Audit Measures”) based on the existing laws and regulations, on August 3, 2023, which clarified and complemented the requirements for personal information compliance audits under the PIPL. For instance, personal information processors that process  the personal information of more than one million individuals must conduct compliance audits at least once a year; for other personal information processors, a compliance audit is required at least once every two years. The Draft Audit Measures detail the specific items to be covered in a compliance audit. For more information about the Draft Audit Measures, click here to read our Brief Analysis of the Key Points of the Administrative Measures for Personal Information Compliance Audit (Draft for Comments).

On July 12, 2024, the National Information Security Standardization Technical Committee (TC260) issued a draft of the National Standard Data Security Technology – Personal Information Protection Compliance Audit Requirements (“Draft Audit Standard”) as part of a consultation process to solicit public comments until September 11, 2024. The Draft Audit Standard provides further practical guidance for preparing personal information compliance audits.

This article explores the legal nature of compliance audit systems for personal information protection. It briefly discusses the audit process, the requirements for audit execution, management,  staffing and documentation, and key audit points for personal information compliance audits as outlined in the Draft Audit Standard. 

A. Legal Positioning of the System for Personal Information Compliance Audits

The term “audit” means financial examination or inspection. According to the Contemporary Chinese Dictionary, an “audit” is defined as the “prior- and post- supervision and inspection of major projects and financial accounts of governments, financial institutions, corporations and public institutions by a specialized agency in accordance with the law.” According to the Implementation Regulations for the Audit Law of the People’s Republic of China, an “audit” in Audit Law shall mean the independent inspection by audit authorities of accounting vouchers, account books, financial accounting reports and other materials and assets relating to treasury income. It also refers to the expenditure and financial income of audited organizations pursuant to the law, the supervision of authenticity, and the legitimacy and beneficial results of treasury income and expenditure. 

Unlike traditional financial audits, there are no international standards for enterprises to conduct internal audits of the compliance of personal information processing with data protection legislation. The European Data Protection Supervisor (EDPS), the European Union’s independent data protection authority, published Audits conducted by the EDPS – Policy paper and EDPS Audit Guidelines to guide the EDPS in conducting audits and investigations of a company’s data processing activities, but they do not apply to companies conducting internal audits.

We understand that the system for personal information compliance audits is designed with reference to the framework of traditional financial audits to ensure the authority and independence of audits. However, the basis and objectives of personal information compliance audits differ from those of traditional financial audits. The Draft Audit Standard defines compliance audits for personal information protection as supervision that reviews the processing of personal information by personal information processors and assesses their compliance with laws and administrative regulations.

At present, China has established a series of corporate internal audit systems in specialized fields such as banking, insurance, and central SOEs (State owned enterprises), according to which corporate internal auditing is independent of compliance management. According to our exploration of the Draft Audit Standard, the current legal framework for compliance audits of personal information protection does not require the adoption of the same stringent standard of independence as seen in the internal audit systems for central SOEs and the other fields highlighted above. Additionally, the Draft Audit Standard does not mandate the establishment of an independent department for personal information protection audits.

B. Personal Information Compliance Audit Processes

According to the Draft Audit Standard, the personal information protection compliance audit process is divided into five phases: preparation, execution, reporting, remediation and audit record archiving. The key steps of each phase are as follows:

  • Audit preparation: This includes establishing the audit team, conducting pre-audit investigations, determining the audit approach and methodology, and preparing and reviewing the audit plan;
  • Audit execution: This includes issuing audit notices, collecting audit evidence, preparing working papers based on the appropriate audit evidence, and ratifying audit findings;
  • Audit reporting: This includes resolving disagreements, and preparing and submitting the audit report;
  • Remediation: In this phase, the auditor should follow up on any non-compliance identified during the audit process and instruct the audited entity to take corrective measures within a prescribed timeframe. If necessary, the auditor should also conduct follow-up audits on the completion and effectiveness of the corrective measures;
  • Audit record archiving: The working papers, reports and other materials related to the compliance audits for personal information protection should be properly kept. 

C. Audit Execution, Management and Staffing Requirements

The Draft Audit Standard sets out clear requirements for the execution and management of personal information compliance audits and the responsibilities of auditors in the following aspects:

Assumption of responsibility: The board of directors (or audit committee), data protection officer, or principal of the personal information processor should take final responsibility for the establishment, operation, and maintenance of the personal information compliance audit system, as well as ensure the independence and effectiveness of these audits.

Supervision of audits: The board of directors (or audit committee), data protection officer or principal of the personal information processor should act as the supervisor of a personal information compliance audit. In addition, personal information processors that provide important Internet platform services, have a large user base, and operate under complex business scenarios should also establish an independent body primarily composed of external members to supervise their personal information protection practices.

Policy framework: A management system for personal information compliance audits should be established. This would outline the form and frequency of personal information compliance audits and define the duties and access of auditors, including but not limited to the access to documents and materials, premises and sites, systems, equipment, and personnel.

Audit independence: To ensure an appropriate audit process, all necessary personnel, sites, systems, and financial support should be provided. The Draft Audit Standard stipulates that internal auditors should abstain from performing any assignment relating to the business for which they are responsible and should not be directly involved in the day-to-day business operations or personal information security protection of the audited entity. According to Appendix A of the Draft Audit Standard, if there is no dedicated team responsible for personal information protection compliance audits, the personal information processor should select personnel in reasonable proportions from the internal audit, security, legal and other teams with expertise in audits or personal information protection, and adhere to a principle of independence. The list of such personnel must be approved by the head of the audit team.

The Draft Audit Standard also contains specific provisions regarding the requirements of professional competence, independence, objectivity, fairness, confidentiality, and execution of auditors.

D. Personal Information Compliance Audit Documents

Audit evidence is the factual information obtained by an auditor to support the conclusions of a personal information audit, including the records, statements of fact or other information collected, used or discovered during a personal information protection compliance audit. Appendix B of the Draft Audit Standard provides the common types of audit evidence and the criteria for their validity.

An audit plan outlines the overall strategy and detailed steps to be followed when conducting a personal information compliance audit. The Draft Audit Standard specifies the factors, key items, and assessment procedures to be considered during audit planning.

An audit working paper is a document prepared by the auditor that records the audit plan developed, the procedures performed, the evidence obtained, and the conclusions reached. An audit report is a written document issued by the auditor in an appropriate form that contains the auditor’s opinions and suggestions based on the audit evidence collected and reviewed and the audit findings made during the audit. Appendices D and E of the Draft Audit Standard provide the templates for audit working papers and audit reports respectively.

E. Key Points of Personal Information Compliance Audits

Appendix C of the Draft Audit Standard outlines the auditing matters, evidence and method for conducting personal information compliance audits. This Appendix generally aligns with the provisions of the PIPL and incorporates requirements from the administrative regulations and national standards. It comprehensively covers the entire process of personal information processing:

  • Personal information processing rules (Articles C.1 to C.13): Like Chapter 2 of the PIPL, the Draft Audit Standard provides key audit points regarding the legal basis of personal information processing, processing rules, notifications, joint processing, entrusted processing, processing under different scenarios of merger/division/dissolution/bankruptcy, the transfer of personal information, automated decision-making, disclosure, collection from public places, personal information already in the public domain, and sensitive personal information. For processing scenarios involving third parties, such as joint processing, entrusted processing and the transfer of personal information, the Draft Audit Standard outlines specific auditing evidence and methods, including but not limited to: examining relevant contracts and documents, inspecting the records of periodic inspections or supervisions, reviewing the written descriptions or testing, assessment or certification reports provided by the recipients, and verifying whether the entrusted entity processes personal information in strict compliance with the data processing agreement.
  • Cross-border transfer of personal information (Articles C.14 to C.15): Like Chapter 3 of the PIPL, the Draft Audit Standard provides key audit points regarding compliance routes for cross-border transfers of personal information, cross-border transfers based on judicial enforcement or international treaties and agreements, and measures taken to ensure that overseas recipients’ processing meets the requirements of the PIPL.
  • Protection of minors’ personal information (Articles C.16 to C.22): Compared to the Draft Audit Measures, the Draft Audit Standard complements and clarifies the audit requirements for protecting the personal information of minors. It develops audit modules in accordance with the Regulation on the Protection of Minors in Cyberspace, including identity verification of minors, minimum necessary collection of minors’ personal information, minors’ rights to their personal information, emergency response to security incidents related to minors’ personal information, minimum necessary access to minors’ personal information, and the protection of minors’ private information.
  • Protection of the rights of personal information subjects (Articles C.23 to C.25): In alignment with Chapter 4 of the PIPL, the Draft Audit Standard provides key audit points regarding the protection of individuals’ rights to delete their personal information and to exercise their personal information rights, and responses to individuals’ requests for explanations of the rules of personal information processing.
  • Obligations of personal information processors (Articles C.26 to C.33): Like Chapter 5 of the PIPL, the Draft Audit Standard outlines key audit points regarding the primary responsibilities of personal information processors, management measures, technical measures, personnel training, the person in charge of personal information protection, personal information protection impact assessments, and the emergency response to personal information security incidents.
  • Special responsibilities of large Internet Platforms (Article C.34 to C.37): Like Article 58 of the PIPL, the Draft Audit Standard specifies key audit points regarding independent organizations overseeing personal information protection, Internet platform rules, the supervision of product or service providers within the platform, and the social responsibility of reporting on personal information protection.

F. Observations and Advice

The Draft Audit Standard addresses every aspect of compliance audits for personal information protection, from audit rules, requirements, and procedures, to auditing items and methods, and audit evidence, and provides the templates for audit working papers and audit reports. This standard offers more practical guidance and support for the implementation of the PIPL and the Draft Audit Measures.

The release of the Draft Audit Standard is  further indication that the compliance audit system for personal information protection is being established and is moving closer to implementation.

Even though the official version of the Draft Audit Standard has not yet been issued, we advise enterprises to familiarize themselves with the requirements outlined in the Draft Audit Standard. We suggest they maintain and organize records and documents relating to personal information processing activities and establish an internal mechanism for conducting compliance audits for personal information protection tailored to the specific characteristics of their business and management. By doing so, enterprises can proactively prepare for personal information compliance audits to be conducted once the Draft Audit Measures and the Draft Audit Standard are formally implemented. This preparation should include considerations for management, staffing, technical support, and external cooperation.

WRITTEN BY

For further information, please contact:

DONG, Xiao (Marissa) – JunHe,
dongx@junhe.com

Professional Experience 

Ms. Dong is a partner in the Beijing office and specializes in the areas of foreign direct investment, mergers and acquisitions, and telecom, internet, high-tech and data privacy and information law. She represents multinationals, foreign investment enterprises, and large Chinese state-owned and private companies. In her corporate and M&A practice, Ms. Dong guides inbound investors through all stages of operation in China, from market investigation to market entry and business expansion (including incorporating PRC entities, mergers and acquisitions, business permits and applications, corporate restructuring and compliance issues). Her clients include industry leaders in manufacturing, high-tech and internet and telecommunications services and education. By supporting clients in their operations in China, Ms. Dong has not only gained substantial experience in dealing with complex commercial transactions but also a deep understanding of the law and its implementation, government policies and the business environment, which enables her to assist clients to set up sensible strategies and explore practical approaches to doing business in China. 

She also advises clients on all aspects of matters involving new technology and data, with a special emphasis on information privacy (consumers, employees, and patients), data security and breaches, and international data transfers. In these businesses, she has gained an understanding of new business models and technology, such as targeted advertising, internet payments, telematics, IoT and cloud computing, so as to help clients navigate China’s complex and sector-specific policy and regulatory landscape. Her clients include national and international information technology vendors, internet service providers, data brokers, retailers and distributors, and manufacturers of medical, industrial, and consumer products. 

She also consults with JunHe lawyers and clients on eDiscovery strategy, data privacy and state secret law matters. Such matters are normally related to pending or threatened litigation, government investigation, internal investigation and other matters, carried out in China or overseas, relating to Chinese companies and foreign operations in China and in various industries such as manufacturing, pharmaceuticals, financial services, and professional services. 

She wrote the PRC component of Mergers & Acquisitions, Global Privacy and Security Law, The Privacy, Data Protection and Cybersecurity Law Review, and is a contributing legal expert to MULTILAW’s Global Data Privacy Tool. She has written several articles on mergers and acquisitions, data protection for PLC and BNA Bloomberg. She is consistently recognized as an expert in Information Technology by Who’s Who Legal. 

Education 

LL.B., Peking University Law School 

Professional Associations 

Ms. Dong is a member of the All-China Bar Association. 

Language Skills 

Mandarin, English 

Practice Area 

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES