Key Takeaways
- If the Administration Measures for Personal Information Compliance Audit is adopted as currently drafted, it will apply to all companies processing personal information.
- The frequency of self-audits will vary based on the amount of personal information processed. Companies processing the personal information of more than one million individuals must conduct a personal information compliance audit (“Compliance Audit”) at least once a year, while others must conduct an audit at least every two years.
- Under the self-audit scenario, companies may conduct audits on their own or entrust a recognized professional institution approved by cyberspace administration departments. However, the same institution cannot conduct more than three consecutive Compliance Audits for the same company.
- In cases of high-risk personal information processing activities or personal information security incidents, the department responsible for personal information protection may require the company to entrust a professional institution for the Compliance Audit.
- The Compliance Audit focuses on the requirements outlined in the Personal Information Protection Law (“PIPL”) and the relevant national standards, covering areas such as personal information processing rules, cross-border data transfers, rights of personal information subjects, obligations of personal information processors, and special responsibilities for large Internet platforms.
Full Text of the Article
On August 3, 2023, the Cyberspace Administration of China released the Administrative Measures for Personal Information Compliance Audit (Draft for Comments) (“Audit Measures”) for public consultation until September 2, 2023. This article analyzes the circumstances in which the Compliance Audit is applicable, the key points to be reviewed in the Compliance Audit, and the legal responsibilities outlined in the Audit Measures. It also provides recommendations for companies acting as personal information processors on how to conduct Compliance Audits in accordance with the laws.
A. Applicable Circumstances for the Compliance Audit
The Audit Measures have clarified and expanded the requirements for Compliance Audits stated in Articles 54 and 64 of the PIPL. They categorize the triggering circumstances for Compliance Audits into two types: “regular self-audits” and “ad hoc audits required by the regulator”. The latter are required by the supervisory authorities when high risks are identified in personal information processing activities or when a personal information security incident occurs.
(a) Regular Self-Audits
According to Article 54 of the PIPL, personal information processors are obligated to conduct Compliance Audits on a regular basis. The Audit Measures further specify that personal information processors processing the personal information of more than one million individuals must conduct a Compliance Audit at least once a year. For other personal information processors, a Compliance Audit is required at least once every two years (Article 4).
(b) Ad hoc Audits Required by the Regulator
Article 64 of the PIPL states that, if a department responsible for personal information protection identifies high risks in personal information processing activities, or if a personal information security incident occurs during their duties, they may require the personal information processor to engage a professional institution to conduct a Compliance Audit of their personal information processing activities.
The Audit Measures also outline requirements for the recommendation and selection of audit institutions. The national cyberspace administration departments, in collaboration with public security and other departments, are responsible for establishing a recommended directory of professional institutions for Compliance Audits. Additionally, professional institutions conducting Compliance Audits should maintain independence and objectivity and not conduct more than three consecutive Compliance Audits for the same company.
B. Specific Requirements on Ad hoc Audits Required by the Regulator
The Audit Measures outline the obligations of personal information processors under these circumstances:
- Selection of the institution (Article 7 and 13 of the Audit Measures):Personal information processors are advised to consult the recommended directory of professional institutions for Compliance Audits. They should then engage a third-party professional institution to conduct the audit.
- Assisting and cooperating (Article 8 of the Audit Measures):Personal information processors must assist and cooperate with professional institutions during Compliance Audits. This includes providing or facilitating access to relevant documents and information and allow access to locations associated with personal information processing, examining and testing business activities, information systems, and related equipment and facilities. They should provide or facilitate access to retrieve and access data or information relevant to personal information processing, conduct interviews with individuals involved in personal information processing and cooperate with investigations, inquiries, and evidence-gathering activities carried out by professional institutions.
- Timely completion (Article 9 of the Audit Measures):Generally, ad hoc audits required by the regulator should be completed within 90 working days. Reasonable extensions may be granted for complex cases.
- Rectification actions (Article 10 and 11 of the Audit Measures):Personal information processors should implement recommended rectifications as proposed and reviewed by professional institutions.
- Reporting the outcome (Article 10 and 11 of the Audit Measures):The Compliance Audit report issued by professional institutions and the status of rectification should be reported to the department responsible for personal information protection.
C. Key Review Points of the Compliance Audit
The Audit Measures outline the specific matters to be examined during the Compliance Audit, either by the personal information processor or the professional institution entrusted by the processor. These examination points are detailed in the Appendix Reference Points for Compliance Audit of Personal Information Protection (“Reference Points”), aligning with the provisions of each chapter of the PIPL. The Reference Points incorporate requirements from administrative regulations and national standards, such as the Information Security Technology – Personal Information Security Specification. They comprehensively cover the entire process of personal information processing and can be categorized into the following five modules:
- Personal information processing rules (Article 2 to 13 of the Reference Points):In accordance with Chapter 2 of the PIPL, the Reference Points provide key points for the Compliance Audit, such as the legal basis of personal information processing, processing rules, notifications, joint processing, entrusted processing, processing during merger/division/dissolution/bankruptcy, personal information provision, automated decision-making, disclosure, collection from public places, processing personal information that has already been disclosed, sensitive personal information processing, and processing the personal information of minors, etc.
- Cross-border provision of personal information (Article 15 and 16 of the Reference Points):In accordance with Chapter 3 of the PIPL, the Reference Points provide key points for the Compliance Audit, such as the compliance routes for cross-border transfers of personal information, cross-border transfers based on judicial enforcement or treaty agreements, and measures taken to ensure that overseas recipients’ processing meets PIPL requirements, etc.
- Protection of rights of personal information subjects (Article 17 to 19 of the Reference Points): In accordance with Chapter 4 of the PIPL, the Reference Points provide key points for the Compliance Audit, such as the acceptance of requests regarding the rights of personal information subjects, and the protection of rights to access, copy, transfer, correct, supplement, delete, and request an explanation of the rules of personal information processing, etc.
- Obligations of personal information processors (Article 20 to 27 of the Reference Points):In accordance with Chapter 5 of the PIPL, the Reference Points provide key points for the Compliance Audit, such as the responsibilities of personal information processors, management measures, technical measures, personnel training, person in charge of personal information protection, personal information protection impact assessment, and personal information security incident response, etc.
- Special responsibilities for large Internet platforms (Article 28 to 31 of the Reference Points):In accordance with Article 58 of the PIPL, the Reference Points provide key points for Compliance Audits, such as the independent organizations overseeing personal information protection, internet platform rules, supervision of product or service providers within the platform, and social responsibility reporting on personal information protection.
Article 1 of the Reference Points clarifies that their purpose is to provide guidance for conducting Compliance Audits. Therefore, it is understood that companies and professional institutions may make adjustments and additions to the Reference Points based on their specific circumstances.
D. Legal Liabilities for Violating the Audit Measures
Article 15 of the Audit Measures serves as a transitional provision, stating that penalties for non-compliance by personal information processors are subject to the relevant provisions of the PIPL. According to Chapter 7 of the PIPL, a personal information processor that fails to fulfill its obligations related to Compliance Audits may face the following penalties imposed by the department responsible for personal information protection: ordering corrections, issuing warnings, confiscating the illegal gains, and ordering the suspension or termination of those who process personal information in violation of the law. If a personal information processor refuses to rectify their non-compliance, they may be fined up to 1 million RMB. In cases of serious violation, departments responsible for personal information protection at or above the provincial level may impose fines of up to 50 million RMB or 5% of the previous year’s turnover and may order the suspension of the relevant business operations and revoke the relevant business permit or license through notification to the relevant competent authority.
Furthermore, individuals directly responsible and other directly liable persons may face fines ranging from 10,000 RMB to 100,000 RMB if they refuse to rectify non-compliance. In serious violations, they may be fined from 100,000 RMB to 1 million RMB. Additionally, they may be prohibited from holding positions such as director, supervisor, senior manager, or person in charge of personal information protection within related companies for a specified period of time.
E. Our Advice
The release of the Draft for Comments version of the Audit Measures reflects the ongoing trend of strengthening legislation and supervision surrounding personal information protection in China. It highlights the importance of conducting Compliance Audits for personal information processors and provides specific requirements and methods for conducting such audits. Additionally, we understand that the reports and record files generated by companies upon completion of Compliance Audits may serve as evidence of compliance. This can be beneficial in demonstrating adherence to the legal requirements, regulations, and standards related to personal information protection and data security during government investigations, law enforcement actions, and Compliance Audits conducted by government agencies, relevant organizations, or business partners.
Although the official version of the Audit Measures may take some time to be released, it is advisable that companies promptly establish an internal mechanism for conducting Compliance Audits. This should be done in accordance with the requirements outlined in the Draft for Comments version of the Audit Measures and should be tailored to the specific characteristics of their own business and management. By doing so, companies can proactively prepare for Compliance Audits to be conducted once the Audit Measures are formally implemented. This preparation should include considerations for management, staffing, technical support, and external cooperation, among other relevant factors.
For further information, please contact:
DONG, Xiao (Marissa), Partner, JunHe
dongx@junhe.com