Conventus Law

Conventus Law

by

China – Key Points Analysis And Compliance Response Of “Data Security Technology Personal Information Protection Compliance Audit Requirements.

Introduction

On July 12, 2024, the National Cybersecurity Standardization Technical Committee (“CNSC”) issued the draft “Data Security Technology Personal Information Protection Compliance Audit Requirements” (“Audit Requirements”) for public comments until September 11, 2024. The Audit Requirements stipulates the audit principles and overall audit requirements for conducting personal information protection compliance audits in accordance with the Personal Information Protection Law, clarifies the audit process specifications, audit personnel requirements, audit implementation methods and steps, specific audit content and audit methods, etc., and provides guidance for personal information protection compliance audits conducted by internal organizations of personal information processors or entrusted professional organizations.

This article analyzes the key contents in the Audit Requirements that deserve enterprises’ attention and provides suggestions for enterprises to respond.

1. Background and Main Contents

The Audit Requirements are formulated to respond to and implement the relevant requirements of the Personal Information Protection Law. According to Articles 54 and 64 of the Personal Information Protection Law, companies need to conduct personal information protection compliance audits in the following two situations:

Article 54: Personal information processors shall regularly conduct compliance audits of their handling of personal information in compliance with laws and administrative regulations.

Article 64: Where, in the course of performing their duties, departments performing personal information protection duties discover that personal information processing activities involve significant risks or that personal information security incidents have occurred, they may interview the legal representative or principal person in charge of the personal information processor in accordance with the prescribed authority and procedures, or require the personal information processor to entrust a professional institution to conduct a compliance audit of its personal information processing activities. Personal information processors shall take measures as required to make rectifications and eliminate hidden dangers.

On August 3, 2023, the Cyberspace Administration of China (“CAC”) issued the “Personal Information Protection Compliance Audit Management Measures (Draft for Comments)” (“Measures”) and the supporting “Personal Information Protection Compliance Audit Reference Points” (“Audit Requirements”), which stipulate the triggering conditions and specific procedures for audit activities. Compared with the 2023 Measures, this Audit Requirements has more detailed requirements in terms of audit procedures and specific content.

In terms of audit procedures, the “Audit Requirements” standardizes the process of personal information protection compliance audits, clarifies the requirements for auditors, establishes the validity standards for audit evidence, and provides audit working paper templates and audit report templates for companies to refer to in practical operations.

In terms of audit content, the Audit Requirements establishes the audit principles of legality, independence, objectivity, comprehensiveness, fairness, and confidentiality, and timely synchronizes the recent updates of China’s legislation in the field of personal information protection, ensuring the connection with other legal provisions. For example, the Audit Requirements supplements the audit content of the minimum necessary requirements for collecting personal information in Appendix C, supplements the audit content for the protection of minors’ personal information in accordance with the Regulations on the Protection of Minors on the Internet, and adjusts the audit requirements for the export of personal information in accordance with the Regulations on Promoting and Regulating Cross-Border Data Flows.

II. Procedural requirements

The Audit Requirements have added specific requirements for audit-related personnel, documents and processes.

1. Audit related personnel

1. Personnel responsible

The board of directors (audit committee), the person in charge of personal information protection or the main person in charge of the personal information processor shall bear the ultimate responsibility, and the scope of responsibility is:

(1) Establishment, operation and maintenance of a personal information protection compliance audit system; and

(2) Independence and effectiveness of compliance audits.

2. Supervisors

The board of directors (audit committee) and the person in charge or principal person in charge of personal information protection of a personal information processor are also supervisors of the personal information protection compliance audit work.

In addition, personal information processors that provide important Internet platform services, have a large number of users, and have complex business types should also establish an independent organization composed mainly of external members to supervise the compliance audit of personal information protection. This requirement originates from Article 58 of the Personal Information Protection Law, but there are currently no laws and regulations that have explained the key concepts therein.

According to the “Information Security Technology Requirements for Large Internet Enterprises to Set Up Personal Information Protection Supervision Agencies (Draft for Comments)” and the “Cybersecurity Standard Practice Guidelines – Large Internet Platform Cybersecurity Assessment Guidelines”, combined with Appendix C.35 of the “Audit Points”, we understand that “personal information processors that provide important Internet platform services, have a large number of users, and complex business types” and “large Internet platforms” have a certain overlap in scope, referring to Internet platforms with an average monthly active user base of no less than 50 million in my country over the past year. Enterprises can use this number as a preliminary reference for self-assessment.

3. Auditors

According to the Audit Points, the personnel of the personal information protection compliance audit team can be from (a) the full-time personal information protection compliance audit team within the organization; or (b) personnel selected in reasonable proportion from the internal audit team, security team, legal team and other teams with audit or personal information protection related professional capabilities; or (c) commissioned by a third-party professional organization. It is worth noting that compared with the Measures, the Audit Points do not require personal information processors to give priority to professional organizations in the recommended catalogue formulated by relevant departments to carry out personal information protection compliance audit activities.

In addition, the “Auditing Key Points” puts forward requirements for professionalism, independence, objectivity, fairness and confidentiality for auditors.

In terms of professionalism, auditors should have professional certification in the field of personal information protection. However, the Audit Points do not specify the specific scope of this certification.

In terms of independence, auditors shall not engage in the following situations. Otherwise, they shall immediately submit a written explanation to the audit team and temporarily avoid or terminate the relevant audit work:

(1) Directly participate in the daily business operations and personal information security protection work of the auditee, and such work is subject to the constraints of the auditee;

(2) The auditors of external professional institutions have family relationships, interests, legal disputes, or other conflicts of interest with the auditee and its staff that may affect their ability to make fair and independent audit conclusions;

(3) Participating in activities that may affect the independent performance of their audit responsibilities, or accepting any property that may affect their independent judgment;

(II) Audit-related documents

1. Audit plan

The audit plan is a key document to ensure the effectiveness of the personal information protection compliance audit. It describes in detail the steps and arrangements for the implementation of the audit, including a series of established steps, and makes specific provisions for each audit action to ensure the achievement of the audit objectives. The audit plan should cover the general requirements for routine audit activities and the individual requirements for special scenarios.

When preparing an audit plan, auditors should identify compliance requirements such as laws and administrative regulations based on the audit object and audit method, and focus on the following factors: dependency on key processes, organizational structure and strategic goals, personal information protection planning, business forms and processes, historical audit issues and rectification, security incidents, complaints and reports, specific technologies, special group information, and other influencing factors. It should be noted that the problems and rectifications found in the personal information compliance audit and the investigation of personal information security incidents should be traced back three years. This also implicitly requires companies to keep these two types of information and related documents for at least three years.

2. Audit evidence

Audit evidence is the basis for the rationality of audit conclusions and must be true, complete, valid, and able to truthfully reflect objective circumstances. Appendix B of Audit Essentials sets out specific requirements for the validity of audit evidence, for example, management documents should go through proper drafting or approval procedures and come into effect, agreement documents should obtain valid consent from all parties to the agreement and actually come into effect and be executed, and network logs should be original records that have not been tampered with.

Auditors should properly preserve audit evidence, accept audit evidence that meets the requirements, and organize it into audit working papers in a timely manner.

3. Audit working papers

Audit working papers are records of the audit plan, audit procedures, relevant audit evidence, and audit conclusions drawn. Audit working papers should objectively reflect the preparation and implementation of the audit plan, as well as all important matters related to the formation of audit conclusions, opinions, and recommendations.

4. Audit Report

The audit report is an important outcome of the personal information protection compliance audit. It is not only a comprehensive summary of the audit process and results, but also a formal document that provides feedback and suggestions to the audited unit and related parties. Before writing the audit report, auditors need to establish a dispute resolution mechanism with the audit object and communicate and confirm the disputed audit conclusions. The content of the audit report should include but is not limited to the audit overview, audit basis, audit conclusions, audit findings, audit opinions, audit suggestions, etc.

(III) Audit implementation process

The Audit Points divide personal information protection compliance audits into five stages and 14 steps, as follows:

III. Substantive requirements

Appendix C of the Audit Requirements, “Contents and Methods of Compliance Audits on Personal Information Protection”, is based mainly on the Personal Information Protection Law, but adds some specific details in addition to the mandatory provisions of the law, which in essence puts forward several compliance requirements for the personal information processing practices of enterprises that exceed the current legal provisions. The following is an analysis of the substantive compliance requirements proposed in Appendix C of the Audit Requirements that are worthy of attention by enterprises.

1. Obligation to inform

In addition to the provisions on disclosure obligations in Articles 17 and 30 of the Personal Information Protection Law, the Audit Requirements put forward further compliance requirements for the disclosure obligations that companies should fulfill through privacy policies, including:

1. Legal basis:

The privacy policies of each channel need to clearly state the circumstances under which personal information processing does not require the consent of the individual, and the circumstances described should comply with the requirements of laws and administrative regulations (Audit Requirements C.1.6).

2. Storage period and basis for determining the storage period:

The privacy policy of each channel needs to clearly state the storage period for different types of personal information and the basis for determining the storage period. It also needs to explain how the personal information will be handled after expiration, such as deletion or anonymization (Audit Requirements C.3.3).

3Format requirements:

The privacy policy or other notification documents of each channel should verify whether the size, font and color of the notification text are convenient for individuals to read the notification in full; online privacy policies or other online notification methods should verify whether text information is provided or the obligation to inform individuals is fulfilled through appropriate means, including pop-up windows, display interfaces, etc. (Audit Requirements C.4.2, C.4.4).

4. Sensitive Personal Information:

When using an App to collect sensitive personal information, the personal information processor should obtain the user’s separate consent through separate pop-up windows, separate notifications, etc. (Audit Requirements C.13.1).

5. Automated decision making:

The content of the explanation of automated decision-making processing should clearly inform individuals of the types of automated decision-making processing of personal information and the possible impact (Audit Requirements C.9.1). However, the Personal Information Protection Law does not actually stipulate any additional obligations to proactively inform individuals regarding companies’ use of automated decision-making to process personal information. It only stipulates in Article 24 that “individuals have the right to request explanations from personal information processors and have the right to refuse personal information processors to make decisions solely through automated decision-making.” Therefore, this clause in the Audit Requirements creates another obligation on top of the clear requirements of laws and regulations, namely, to inform individuals of “the types of automated decision-making processing of personal information and the possible impact” regarding automated decision-making.

6

Contact information of the person in charge of personal information protection:

The audit requires checking whether the privacy policy, corporate social responsibility report or official website discloses the contact information of the person in charge of personal information protection (Audit Requirement C.30.6). However, according to the Personal Information Protection Act, not all companies are required to designate a person in charge of personal information protection (Article 52 of the Personal Information Protection Act), and personal information processors are only required to inform the personal information subject of the contact information of the personal information processor, not the contact information of the person in charge of personal information protection.

(II) Consent and separate consent

The Audit Requirements stipulate that when providing personal information to other personal information processors (Audit Requirements C.3.5, C.8.1), disclosing (Audit Requirements C.10.1), using personal images and identity identification information collected by image acquisition devices in public places for purposes other than public safety (Audit Requirements C.11.3), and processing sensitive personal information (Audit Requirements C.13.1), the audit content should include ” whether the individual’s separate consent has been obtained .”

It is worth noting that, in addition to the audit requirements for processing sensitive personal information, the Audit Requirements do not explicitly exclude the circumstances under which individual consent is not required as stipulated in Article 13, Paragraphs 2 to 7 of the Personal Information Protection Law. These circumstances under which individual consent is not required include: ” (ii) It is necessary to conclude or perform a contract to which the individual is a party, or to implement human resources management in accordance with labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law; (iii) It is necessary to perform statutory duties or obligations; (iv) It is necessary to respond to public health emergencies or to protect the life, health and property safety of natural persons in emergency situations; (v) It is necessary to carry out news reporting, public opinion supervision and other activities for the public interest, and to process personal information within a reasonable scope; (vi) It is necessary to process personal information that an individual has disclosed on his own or that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; (vii) Other circumstances stipulated by laws and administrative regulations. “

Judging from current practices, many companies, in accordance with Article 13 of the Personal Information Protection Law, will not obtain separate consent from individuals when processing personal information based on legal bases such as human resources management and contract performance.

If the auditing agency is required to review the individually agreed acquisition in accordance with the current scope of the Audit Requirements, it will essentially conflict with the requirements of the Personal Information Protection Law and increase the compliance burden on enterprises.

Considering that the Audit Requirements have not yet come into effect, relevant companies can propose amendments to them during the consultation period.

(III) Partners involved in personal information transfer need to cooperate with audit requirements/data transfer contract compliance requirements

According to the Audit Requirements, the audit requirements for a personal information processor will essentially penetrate all relevant partners of the personal information processor in the transmission of personal information, including joint processors, trustees, recipients of personal information due to mergers, reorganizations, etc., and other personal information processors to whom personal information is transmitted. In addition, based on the provisions of the Personal Information Protection Law, the Audit Requirements further put forward higher requirements for the substantive content of personal information processing contracts in different personal information transmission scenarios.

1. Joint Processors

Audit Requirements C.5.1-C.5.5 stipulate the audit content in the joint processing scenario. According to the requirements for audit methods, the audit method adopted in the audit is to “check the joint processing contract or agreement of personal information between the two parties” to verify whether the personal information protection measures taken by the parties, the personal information rights protection mechanism, the personal information security incident reporting mechanism, etc. are stipulated therein, while Article 20 of the Personal Information Protection Law only requires the two parties to “agree on their respective rights and obligations” for joint processing. Therefore, compared with the legal provisions, the Audit Requirements further stipulates the terms that the data transfer contract should include in the joint processing scenario, and the audit agency will review whether the data transfer contract between the two joint processors contains relevant matters.

On the other hand, according to the requirements for audit methods and audit evidence, the audit should conduct spot checks on personal information rights protection mechanisms, personal information security incident reporting mechanisms, etc., and “verify their effectiveness through walk-through tests and other methods.” Therefore, in the process of reviewing personal information processors, the audit agency may not only review the data transfer contract, but also directly require the co-processor to cooperate in testing to review the effectiveness of the personal information protection measures it has taken, the personal information rights protection mechanisms it has implemented, and the personal information security reporting mechanisms.

2. In the scenario of entrusted processing by the trustee, the requirements for the content of the data transfer contract put forward in the “Audit Requirements” are basically consistent with the provisions of the “Personal Insurance Law”.

According to the provisions of C.6.1-C.6.5 of the Audit Requirements, if there is a situation of entrusting the processing of personal information, it is necessary to audit whether the personal information processor conducts regular inspections and supervision on the trustee; and the trustee needs to cooperate in providing relevant compliance instructions or evaluation, certification, and test reports to cooperate with the audit requirements of the personal information processor. However, in reality, the above requirements may be difficult for enterprises to achieve. On the one hand, due to the high cost, it is often difficult for personal information processors to conduct regular inspections on all trustees, and some enterprises that are entrusted with a large number of personal information processing (such as providers of technical software related to personal information) may find it difficult to accept regular supervision and inspection by all personal information processors that cooperate with them. On the other hand, in the process of auditing personal information processors, the Audit Requirements also indirectly put forward the requirement for trustees to provide materials to cooperate with the audit. Therefore, in order to meet this audit requirement, personal information processors also need to clearly stipulate with the trustee in the data transfer contract that the trustee needs to provide cooperation and provide compliance instructions or evaluation, certification, test reports and other audit evidence as required. This undoubtedly also increases the burden on relevant enterprises.

3. Recipients of personal information due to merger, reorganization, division, dissolution, bankruptcy, etc.

In the scenario where personal information is transferred due to merger, reorganization, division, dissolution, bankruptcy, etc., Audit Requirements C.7.1-C.7.3 propose that it is necessary to audit whether the recipient actually fulfills the obligations of the personal information processor and whether the consent is obtained again for the change of processing by checking the privacy policy of the recipient. The above audit content is actually not aimed at the original personal information processor, but the recipient of personal information after the merger, reorganization, division, dissolution, or bankruptcy of the personal information processor. Therefore, the audit activities of the personal information processor directly lead to the recipient accepting the audit.

4. Other personal information processors

Audit Requirements C.8.3 stipulates that the audit content should include ” whether the recipient processes personal information within the scope of the processing purpose, processing method and type of personal information agreed upon by both parties “, and audit evidence includes relevant ” contracts or agreements “, while the audit method is to ” check whether the contract or agreement between the two parties stipulates the processing purpose, processing method and type of personal information. ” Therefore, under the Audit Requirements, the relevant data transfer contract for providing personal information to other personal information processors must stipulate information such as the processing purpose, processing method and type of personal information; while the Personal Information Protection Law does not put forward any requirements on the content of data transfer contracts for the scenario of providing personal information to other personal information processors. The above data transfer contract requirements go beyond the clear provisions of the Personal Information Protection Law and put forward further high requirements for enterprises.

On the other hand, the audit method required by Audit Requirements C.8.3 is to ” check whether the written explanation or test, evaluation, and certification report provided by the recipient can prove that it processes personal information within the agreed scope”, so the recipient needs to cooperate with the audit activities of the personal information processor and provide relevant written proof. C.8.4 requires an audit on “whether the recipient has re-obtained the individual’s consent in accordance with the provisions of laws and administrative regulations when changing the purpose and method of processing “. This audit requirement is obviously contrary to the current general understanding of the legal provisions in the industry. Article 23 of the Personal Information Protection Law stipulates that “… the recipient shall process personal information within the scope of the above-mentioned processing purpose, processing method and type of personal information. If the recipient changes the original processing purpose and processing method, it shall re-obtain the individual’s consent in accordance with the provisions of this Law. ” According to general understanding, when the recipient changes the processing purpose and processing method, the obligation to re-obtain the individual’s consent should be borne by the recipient, not the provider. According to the principle provisions of Article 9 of the Personal Information Protection Law, personal information processors should be responsible for their personal information processing activities. Therefore, the recipient should be responsible for the performance of the above obligations. If the recipient fails to perform the relevant obligations, then in theory, the personal information processor (provider)’s personal information protection compliance level should not be negatively evaluated. Therefore, the rationality of using C.8.4 as the content of the compliance audit evaluation of personal information processors (providers) is questionable.

(IV) Cross-border transmission of personal information

Audit Requirements C.14.1-C.15.3 reiterate the various compliance requirements for cross-border transmission of personal information under the Personal Information Protection Law and the newly issued Regulations on Promoting and Regulating Cross-Border Data Flows in 2024.

The audit contents specified in the Audit Requirements include but are not limited to:

  • Whether the information provider understands the impact of the privacy policy and cybersecurity environment of the overseas recipient’s country or region on outbound personal information;
  • Whether the information on the overseas recipient is known and understood, in particular, whether the recipient has the necessary personal information protection capabilities;
  • Whether the requirements of Chinese laws and administrative regulations on personal information protection have been informed to overseas recipients, and whether the overseas recipients have been required to take corresponding protection measures;
  • Whether measures such as signing agreements and regular inspections are adopted to urge overseas recipients to fulfill their obligations to protect personal information.

The above-mentioned audit items are all for enterprises that conduct cross-border transmission of personal information, and there is no requirement to conduct compliance audits directly on overseas recipients. According to this provision, it seems that during the audit, domestic enterprises only need to provide necessary documents, agreements, etc. to cooperate with the audit, and there is no need to require overseas recipients to provide too much cooperation. Considering the high cost of communicating with overseas parties and conducting audits overseas when necessary, this provision of the “Audit Requirements” currently seems to be more reasonable.

However, as mentioned above, the Audit Requirements generally require that the partners involved in the transfer of personal information need to accept or cooperate with compliance audits. In addition, considering the provisions of Article 3, Item 11 of the Standard Contract for the Transfer of Personal Information Abroad, the overseas recipient shall ” (xi) commit to provide the personal information processor with the necessary information required to comply with the obligations of this contract, allow the personal information processor to review the necessary data files and documents, or conduct compliance audits on the processing activities covered by this contract, and facilitate the personal information processor to conduct compliance audits. ” Therefore, the relevant overseas recipients (especially the signatories of the Standard Contract for the Transfer of Personal Information Abroad) as co-processors, trustees, recipients of personal information due to mergers, reorganizations, etc., and other personal information processors that receive personal information transfers, still need to provide a certain degree of cooperation for the audit work.

Regarding the audit of the fulfillment of the relevant data export declaration obligations, we noticed that the Audit Requirements did not clearly specify the thresholds for triggering data export security assessments, standard contracts for personal information export, and personal information protection certification, in accordance with the requirements of the Provisions on Promoting and Regulating Cross-Border Data Flows, for excluding the relevant exemption obligations, such as ” for the conclusion and performance of contracts to which an individual is a party “, ” implementing cross-border human resources management in accordance with labor rules and regulations formulated in accordance with the law and collective contracts signed in accordance with the law “, etc., nor did it clearly require data export companies to conduct audits on whether their export scenarios can be applied to such exemption scenarios. From the current practice, many companies have excluded the relevant export scenarios from the relevant data export declaration obligations in accordance with the provisions of the Provisions on Promoting and Regulating Cross-Border Data Flows and the specific requirements of the Cyberspace Administration of China when relying on the above exemptions to export personal information. Since the Provisions on Promoting and Regulating Cross-Border Data Flows have just been issued, companies and regulatory authorities are still in the exploration stage for the applicable conditions of the exemptions. According to our observations, regulatory authorities tend to leave this issue to companies to judge for themselves. Therefore, for enterprises, the question of ” whether the relevant outbound travel scenarios can be exempted ” has great potential uncertainty and compliance risks; if it can be demonstrated through personal information compliance audits, it may be more beneficial to enterprises. Considering that the “Audit Requirements” have not yet come into effect, relevant enterprises can propose amendments to this during the comment period.

5. Installation of image acquisition equipment in public places

Audit Requirements C.11.1 stipulates that when image acquisition and personal identification equipment are installed in public places, it should be reviewed whether “it is necessary to maintain public safety and whether the collected information is processed for commercial purposes .”

This article is linked to Article 26 of the Personal Information Protection Law, but it goes a step further than the Personal Information Protection Law by drawing a red line for “commercial purposes”. Article 26 of the Personal Information Protection Law only stipulates that the use of the above personal information should be “necessary to maintain public security”, but does not further explain the boundaries of this use, resulting in many uncertainties for companies in practice.

However , there is still a gray area between the two purposes of ” maintaining public safety ” and ” for commercial purposes “. For example, in practice, companies often install image acquisition equipment in semi-open places with public nature to maintain the safety of their own property. This situation is not necessary for ” maintaining public safety “, but there is no situation where the collected information is processed for ” commercial purposes “. At present, the “Key Points” have not completely solved this difficult problem, and the compliance of the above situation still needs further discussion.

6. Automated decision making

The “Audit Requirements” are closely linked to the “Internet Information Service Algorithm Recommendation Management Regulations”, “Internet Information Service Deep Synthesis Management Regulations” and “Interim Measures for the Management of Generative Artificial Intelligence Services” issued in recent years. They require personal information processors to conduct security assessments on algorithm models in advance when using automated decision-making to process personal information, register them in accordance with relevant national regulations, and conduct scientific and technological ethics reviews.

In addition, the assessment items in the Audit Requirements have comprehensively expanded Article 24 of the Personal Information Protection Law, clarifying the specific compliance measures that should be taken to ensure the transparency of automated decision-making and the fairness and impartiality of the results, including:

1. Protect the rights and interests of personal information subjects:

As mentioned in Section 3 (I) above, in order to protect the right to know of the personal information subject, companies should proactively inform individuals in advance of the types of automated decision-making processing of personal information and the possible impacts.

In order to protect the right of refusal of the subject of personal information, enterprises should provide a protection mechanism so that users can conveniently refuse to make decisions that have a significant impact on their personal rights and interests through automated decision-making, or require enterprises to explain the application of automated decision-making methods to make decisions that have a significant impact on users’ personal rights and interests.

In terms of scientific and technological ethics review, companies should check whether personal information processors conduct scientific and technological ethics review of algorithm models in advance, including but not limited to whether Internet information services are provided using algorithm models that induce users to become addicted, or whether Internet information services are provided using algorithm models that induce users to over-consume.

Companies should also provide users with the ability to delete or modify user tags based on their personal characteristics used in automated decision-making services.

2. Take technical and organizational measures to protect algorithms and parameter models:

Enterprises should take necessary measures to protect algorithms and parameter models, and take corresponding organizational measures to record manual operations in automated decision-making processes such as personal information processing, label management, and model training, to prevent malicious human manipulation of automated decision-making information and results.

Judging from the results of automated decision-making, companies should take effective measures to prevent automated decision-making from making unreasonable differential treatment of individuals in transaction conditions based on consumer preferences, trading habits, etc.

(VII) Emergency handling of personal information security incidents

Audit Requirements C.20.2 and C.33.2 stipulate that a notification channel should be established to notify departments and individuals responsible for personal information protection within 72 hours after a personal information security incident occurs.

Currently, there is no mandatory requirement in any law, regulation or other mandatory provisions to “report an incident within 72 hours of its occurrence”. If this audit item is retained when the Audit Requirements finally come into effect, enterprises should pay attention to adjusting their internal information security incident response mechanisms and processes to adapt to this new regulation.

IV. Conclusion

It has been nearly three years since the promulgation of the Personal Information Protection Law. During this period, supporting implementation methods and regulations have been issued one after another for the obligations stipulated in many articles of the Personal Information Protection Law. As far as the obligations of personal information compliance audits are concerned, the Audit Requirements have made more detailed provisions in terms of both the audit procedures and specific contents. Although the Audit Requirements have not yet come into effect, considering that companies may audit the existing personal information processing when conducting compliance audits in accordance with the law in the future, it is recommended that companies prepare for the future and refer to the standards of the current draft for comments to take the following compliance measures in advance:

1. Establish a personal information protection compliance system:

In order to meet the procedural and personnel requirements in the audit, and to fully fulfill the obligations stipulated in the Personal Information Protection Law, it is recommended that companies conduct comprehensive self-examination and establish a personal information protection compliance system.

2. Leave traces of personal information processing:

In order to prepare for audits, it is recommended that companies retain text records related to the processing of personal information, including consent forms, privacy notices, data transfer agreements and other internal documents.

3. Require partners to be audited in data transfer agreements:

As described in this article, during the compliance audit process, enterprises may need data transfer partners to cooperate and accept the audit. It is recommended that enterprises require partners to provide reasonable cooperation through data transfer agreements and other forms to cope with the effectiveness of the Audit Requirements.

It remains to be seen to what extent the final version of the Audit Requirements will adopt the contents of the draft for comments. If there are any subsequent developments, we will provide timely interpretation.

WRITTEN BY

For further information, please contact:

Samuel YANG – Partner,
yanghongquan@anjielaw.com

Samuel leads our Technology, Data Protection & Cybersecurity practice. He has worked in both in-house and private practice roles within the TMT sectors for nearly 20 years and is regarded as a leading expert in these areas. He advises clients on a wide range of regulatory, commercial, and corporate matters, especially in the areas of data protection, cybersecurity, telecommunications, internet, media, social networking, hardware and software, technology procurement and transfer, distribution and licensing, and other technology-related matters.

Samuel has received many honors and much recognition for his work. Legal 500 describes Samuel as “probably one of the leading authorities on data protection” and “a respected expert in telecoms regulations”. Chambers and Partners finds him to be a “very effective” lawyer who “responds rapidly and is very client-oriented”. Who’s Who Legal commented that “Samuel Yang ranks highly among peers thanks to his in-depth knowledge of data protection and compliance, regulatory and contentious matters in the TMT sectors.”

Samuel’s clients include MNCs, large state-owned enterprises, leading Chinese internet companies, and startup technology companies.

Samuel is a regular contributor to many legal journals, and his publications on TMT, data protection, and cybersecurity laws in China are well-received and widely reproduced.

Representative Cases

Data Protection and Cybersecurity

• Advised a leading multinational theme parks and resorts company on matters involving Personal Information Protection Law, Data Security Law and Cybersecurity Law compliance, and other matters concerning data protection, cybersecurity, and telecom regulation.

• Advised a leading multinational logistics company on matters involving Personal Information Protection Law, Data Security Law and Cybersecurity Law compliance, and other matters concerning data protection, cyber security, and telecom regulation.

• Advised several leading multinational insurance and reinsurance companies on all aspects of data protection, including personal information protection, cybersecurity, data sharing, cross-border data transfers, and other matters.

• Advised a leading multinational semiconductor company on the Personal Information Protection Law, personal data protection, and cybersecurity compliance.

• Advised a leading multinational insurance company on Personal Information Protection Law and Data Security Law compliance, cross-border data transfers, and foreign technology regulations.

• Advised a systemically important multinational financial services group on Personal Information Protection Law compliance.

• Advised a leading multinational music corporation on comprehensive Personal Information Protection Law compliance.

• Advised an iconic US company on cross-border data transfer issues in an international lawsuit.

• Advised a leading PRC entertainment media company on Personal Information Protection Law compliance.

• Advised a leading multinational automobile company on Personal Information Protection Law, Data Security Law and Cybersecurity Law compliance, data protection issues, such as privacy-friendly software GUI designs, privacy policies, terms of use, gap analyses, compliance solutions, and other matters.

• Advised a leading multinational logistics company on Personal Information Protection Law compliance, cross-border data transfers, and personal information protection impact assessments.

• Advised a leading multinational automobile manufacturer on connected cars, cybersecurity, personal information, and data protection issues.

• Advised a leading PRC ride-hailing company on mapping compliance matters.

• Advised a leading multinational automobile manufacturer on cybersecurity and data protection issues.

• Advised a leading global software company on personal information and data protection compliance.

• Advised a leading global genetics company on its collection and use of human genetic data.

• Advised a leading global telecom company on Personal Information Protection Law compliance.

• Advised a leading global internet company on building its internal data protection framework in the internet insurance sector.

• Advised a leading global IT company on cross-border data transfers and cybersecurity issues.

• Advised a leading multinational IT company on telecom, connected vehicle and algorithm compliance, and cybersecurity and personal information protection issues.

• Advised a leading global mobile advertising technology company on its collection and use of personal smartphone information.

• Advised a leading global food-products corporation on contractual clauses regarding data sharing, entrusted processing, third-party program plug-in, and other matters.

• Advised a leading global electronics manufacturer on Personal Information Protection Law compliance matters related to its website, mobile applications, mini-programs, and other matters.

• Advised a leading global optical and imaging equipment manufacturer on cybersecurity, personal information and data protection issues.

• Advised a leading multinational electronics and imaging equipment manufacturer on personal information protection, cross-border data transfers, and Cybersecurity Law compliance.

• Advised a leading global medical device manufacturer on its software privacy policies, privacy-friendly UI designs, and personal information consent clauses.

• Advised a leading multinational telecom company on acquiring telecom licenses in China.

• Advised a leading PRC big data mining and analytics company on data protection compliance issues.

• Advised a leading UK retail company on its privacy policies in China.

• Advised a leading global smartphone company on regulatory issues concerning data centers and cloud services in China.

• Advised a leading global IT company on a connected vehicle project with an automobile manufacturer.

• Advised a leading global IT services company in a multimillion-dollar dispute against a top Chinese state-owned enterprise.

• Advised a leading global high-technology cable and systems company on a cooperation and licensing agreement with a Chinese factory.

• Advised a leading global telecom company on a smart hospital project with a leading Chinese hospital.

Compliance and Investigation

• Advised the National Development and Reform Commission on drafting the Guidance on Compliance Management of Overseas Operations of Enterprises.

• Advised a leading global IT company on compliance issues arising from selling products to state-owned enterprises.

• Assisted a leading global pharmaceutical company in an internal investigation against its senior officials for misconduct.

• Assisted a leading global software company in an investigation against its sales personnel.

• Advised a leading global logistics company on comprehensive compliance matters.

• Advised a leading global IT company on drafting its code of conduct.

• Advised an Australian medical device company on designing its code of conduct and anti-bribery policies.

• Advised an Italian luxury goods company on designing its China-specific gift and hospitality policy.

Honors & Recognition

Data Protection & Cyber Security

Band 1 Lawyer: Data Protection & Privacy – Chambers and Partners (2023)

Leading Individual: Data Protection – Legal 500 (2021/2022/2023)

National Leader (China Mainland and Hong Kong) – Data, Who’s Who Legal (2021/2022/2023)

Leading Individual: Cyber Security & Data Protection, LEGALBAND (2019/2020/2021/2022)

TMT (Technology, Media and Telecom)

Band 1 Lawyer: TMT – Chambers and Partners (2023)

Leading Individual: TMT – Legal 500 (2020/2021/2022/2023)

Global Leader: Telecoms and Media  – Who’s Who Legal (2021/2022/2023)

In addition, the team that he leads has won the following accolades:

Band 1 Law Firm: TMT – Chambers and Partners (2023)

PRC Firm: Data Protection & Privacy – Chambers and Partners (2023)

PRC Firm: Data – Legal 500 (2021/2022/2023)

PRC Firm: TMT – Legal 500 (2020/2021/2022/2023)

Leading Cybersecurity and Data Protection Law Firm (LEGALBAND, 2019/2020/2021/2022)

Data Protection & Privacy Award (China Business Law Journal, 2019/2021)

Working Experience

AnJie Broad Law Firm, Partner

DLA Piper, Senior Associate

CMS Cameron McKenna, Senior Associate

British Telecom, Head of Legal, China

Education Background

University of International Business and Economics, LL.M.

Dalian Maritime University, LL.B.

Qualifications

Chinese Bar Qualification

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES