On August 3, 2023, the Cyberspace Administration of China (“CAC”) issued the “Personal Information Protection Compliance Audit Management Measures (Draft for Comment)” (“Measures”) and the supporting “Personal Information Protection Compliance Audit Reference Points (“Key Points”) is open to the public for comments until September 2, 2023.
The “Measures” stipulate the triggering conditions and specific procedures for auditing activities; while the “Main Points” part reiterates the existing principled requirements of the “Personal Protection Law” and other laws and regulations, and adds some specific new regulations. Taken together, the “Measures” and “Key Points” essentially add some new compliance obligations for enterprises.This article analyzes the key content in the “Measures” and “Key Points” that deserves the attention of enterprises, and provides suggestions for enterprises.
Audit trigger conditions
The Personal Information Protection Law (“Personal Information Protection Law”) stipulates two triggering situations for personal information compliance audits:
Article 54: Personal information processors shall conduct compliance audits on a regular basis to comply with laws and administrative regulations in the processing of personal information.
Article 64: If the department performing personal information protection duties discovers that there are relatively large risks in personal information processing activities or personal information security incidents occur during the performance of its duties, it may follow the prescribed authority and procedures to legally represent the personal information processor. Interview with the person or the main person in charge, or require the personal information processor to entrust a professional institution to conduct a compliance audit of its personal information processing activities. Personal information processors should take measures as required to make rectifications and eliminate hidden dangers.
In short, the audit trigger conditions stipulated in the “Individual Protection Law” include: (1) regular audit, (2) audit in accordance with the requirements of the regulatory authorities.
Article 2 of the “Measures” clarifies that its scope of application includes the above two statutory triggering situations. In the two cases, the procedures and detailed rules of the audit activities are slightly different, and the two cases are summarized below.
Article 54 of the “Individual Protection Law” does not specify the audit frequency of “regular” audits. Article 4 of the “Measures” stipulates two levels of personal information processors according to the situation:
(1) The number of personal information processed exceeds 1 million people: at least once a year.
(2) No more than 1 million people: at least once every two years.
When an enterprise conducts regular audit activities according to law, the audit institution can be the enterprise’s own internal organization (such as the legal department, compliance department), or the enterprise can entrust a professional audit institution to conduct regular audits.
Audit according to regulatory requirements
Article 6 of the “Measures” reiterates the requirements of Article 64 of the “Personal Protection Law”. When the supervisory authority finds that: (1) the personal information processing activities of the enterprise have relatively high risks, or (2) a personal information security incident occurs, the enterprise may be required to conduct a compliance audit.
In the case of auditing according to the requirements of the regulatory authorities, the company can only entrust an external professional auditing agency, but cannot conduct auditing by its own internal department. According to Article 7 of the “Measures”, if the supervisory department issues a notice to the enterprise, the enterprise should select a professional audit institution as required as soon as possible after receiving the notice.
Cooperate with audit
In the process of auditing according to the requirements of regulatory authorities, enterprises should provide convenience and cooperation to audit institutions in various aspects. Auditors may have the following powers:
Request to provide or assist in reviewing relevant documents or materials;
Enter relevant places for personal information processing activities;
Observation of personal information processing activities taking place within the premises;
Investigate relevant business activities and information systems on which they rely;
Check and test equipment and facilities related to personal information processing activities;
Retrieving and reviewing data or information related to personal information processing activities;
Interview persons involved in personal information processing activities;
Conduct investigations, inquiries and evidence collection on relevant issues;
Other necessary authority to carry out compliance audit work.
The audit conducted in accordance with the requirements of the supervisory department shall be completed within 90 working days, and an extension may be submitted for approval in complicated cases.
This time requirement means that once an enterprise receives an audit notice from the regulatory authority, it must select an external professional audit institution and start audit activities as soon as possible, and it is faced with greater time pressure. It is not yet clear what consequences will be faced if the time is exceeded.
Audit report submission
Article 10 of the “Measures” stipulates that enterprises should “timely” submit the audit reports issued by professional institutions to the regulatory authorities, and put forward certain format requirements for audit reports.
Although the time limit represented by “timely” has not yet been specified, considering the above-mentioned time requirement for completing the audit within 90 working days, the company is likely to need to submit a report to the regulatory authority within 90 working days.
Rectification, review, and resubmission
After the audit required by the regulatory authorities is completed, the enterprise should carry out rectification according to the rectification suggestions given by the professional institution. After the rectification, it will be reviewed by a professional institution, and the rectification situation will be reported to the supervision department.
The time limit for the completion of the above-mentioned rectification and review has not yet been specified.
Mandatory rotation of auditors Article 12 of the “Measures” stipulates that professional audit institutions shall not conduct more than three consecutive personal information protection compliance audits for the same audit object.
This regulation means that if a company that handles personal information of no more than 1 million people has a regular audit every two years and has always used the same external audit agency, it must change the audit agency within a maximum of 6 years; If a large enterprise has a regular audit once a year and has been using the same external audit agency, it must change the audit agency within a maximum of 3 years. If the audit frequency is more frequent, the external auditor will be replaced sooner.
The above-mentioned 3-year or 6-year period is obviously shorter than the mandatory rotation period of audit institutions in other industries. For example, according to the “Administrative Measures for the Selection and Engagement of Accounting Firms by State-owned Enterprises and Listed Companies” (Cai Kuai  No. In principle, the accounting firm shall be rotated every 8 years and shall not exceed 10 years.
Although the original intention of this article is to maintain the independence and objectivity of compliance audit institutions, such frequent replacement requirements may not be reasonable in fact: it takes time for audit institutions to understand the business of the enterprise and familiarize themselves with the personal information processing process, and the cost of replacement is relatively low. high. Mandating frequent replacement of auditors may place a heavy burden on companies.
Considering that the “Measures” are still in the stage of soliciting opinions, relevant enterprises can submit opinions to relevant departments in a timely manner.
“Recommended List” Article 13 of the “Measures” stipulates that relevant departments of the State Council, such as the national network information department and public security organs, will update the “Recommended Catalog of Personal Information Protection Compliance Auditing Professional Institutions” every year. The “Measures” encourage enterprises to give priority to institutions in the recommended list, but it is not mandatory.
However, in practice, if an enterprise chooses an audit institution outside the recommended list to conduct a compliance audit, the probative force of its audit results may not meet the compliance standards required by the regulatory authorities. Therefore, after the introduction of the recommended directory, to ensure compliance, enterprises may only select institutions in the directory.
In addition, how to ensure the openness, fairness and fairness of the selection process of the recommended catalog is also a key issue that needs to be considered by relevant departments. complaint
Violations of professional audit institutions can be complained to the departments that perform personal information protection duties. After verification, the violating institution will be permanently banned from being included in the recommendation list.
Personal Information Compliance Requirements
The main basis of the “Key Points” is the “Personal Protection Law”, but some specific rules have been added in addition to the mandatory provisions of the law, which essentially put forward some compliance requirements for enterprises’ personal information processing practices that exceed the current legal provisions.
Marking requirements consent action
Article 2 of the “Key Points” clearly stipulates that when reviewing the basis of legality, the review should focus on: “(4) Processing personal information based on the consent of the individual, whether to record the operation of the consent of the individual;…”
Enterprises need to pay attention to adopting a recordable and verifiable method to obtain personal consent through online or offline channels, and keep operation records in order to respond to compliance audits. inform
Articles 7, 8, 9, 13, 14, and 18 of the “Key Points” stipulate that enterprises should focus on review when transferring and providing personal information, making automated decision-making, processing sensitive personal information, children’s personal information, and corresponding individual rights exercise requests. Circumstances for Informing Individuals. The key review items in Articles 3 and 4 of the “Key Points” respectively reflect how enterprises should fulfill their disclosure obligations through personal information processing rules or other methods.
Therefore, enterprises should pay attention to retaining the text and records of the notification when notifying the personal information subject, so as to reflect the fulfillment of the notification obligation.
The “Key Points” stipulates that when providing to other personal information processors (Articles 3 and 8 of the “Key Points”), disclosing (Article 10 of the “Key Points”), processing sensitive personal information (Article 13 of the “Key Points”) and transferring When personal images and other information collected in public places are used for purposes other than maintaining public safety (Article 11 of the “Key Points”), the focus should be on “whether individual consent has been obtained”.
It is worth noting that the “Key Points” does not explicitly exclude the circumstances stipulated in paragraphs 2 to 7 of Article 13 of the “Personal Protection Law” that it is not necessary to obtain the consent of the individual. These circumstances that do not require the consent of individuals include: “(2) It is necessary for the conclusion and performance of a contract with an individual as a party, or it is necessary for the implementation of human resource management in accordance with the labor rules and regulations formulated according to law and the collective contract signed according to law; (3) It is necessary to perform statutory duties or obligations; (4) It is necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in emergency situations; (5) To implement news reports, public opinion supervision, etc. for the public interest (6) Process personal information within a reasonable range in accordance with the provisions of this law, which is disclosed by individuals or has been legally disclosed; (7) Other circumstances stipulated by laws and administrative regulations.
Judging from the current practice, in accordance with Article 13 of the “Personal Protection Law”, many companies will not obtain separate consent from individuals when relying on legal basis such as human resource management and contract performance to process personal information.
If the audit institution is required to review the acquisition of individual consent according to the current caliber stipulated in the “Key Points”, it will essentially conflict with the requirements of the “Individual Protection Law” and increase the compliance burden of enterprises. Considering that the “Requirements” have not yet come into effect, relevant enterprises can propose amendments during the comment period. Partners in the transfer of personal information need to be audited. The audit of personal information processors will extend to its co-processors, trustees, and other personal information processors who receive personal information transfers.
Article 5 of the “Key Points” stipulates that if there is a situation of joint processing of personal information, the review should focus on “(2) personal information protection measures adopted by each party; (3) personal information rights and interests protection mechanism; (4) personal information security incidents reporting mechanism;…”
For this reason, in the process of reviewing personal information processors, the audit agency may not only review whether the data transfer contract between the two parties of the co-processor is in compliance, but also review the personal information protection measures adopted by the partner, the implementation of personal information Rights protection mechanism, personal information security reporting mechanism, etc.
According to Article 6 of the “Key Points”, if there is a situation of entrusting the processing of personal information, not only the compliance review should be conducted on the personal information processor, but also the following items need to be reviewed on the trustee: “(4) Whether the trustee is strictly Whether personal information is processed in accordance with the agreement in the entrustment contract, whether there is any situation in which personal information is processed beyond the agreed processing purpose and processing method; (6) Whether the trustee has entrusted others to process personal information, and whether it has obtained the consent of the personal information processor.”
Other personal information processors
Article 8 of the “Key Points” stipulates that if there is a situation where the personal information processed by it is provided to other personal information processors, the following matters shall be reviewed against the recipient: “(3) Whether the recipient has complied with the processing purpose, processing method and (4) If the purpose and method of processing are changed, whether to re-obtain the consent of the individual in accordance with the provisions of laws and administrative regulations;…”
Therefore, in addition to its own annual audit, companies may need to accept additional audits due to the audit work of data transfer partners.
As a personal information processor, enterprises should clearly require their partners to accept compliance audits in the data transmission contract during the process of transmitting personal information.
Cross-border transfer of personal information
Articles 15 and 16 of the “Key Points” reiterate the various compliance requirements for cross-border transmission of personal information under the “Personal Protection Law”, “Data Export Security Assessment Measures”, and “Personal Information Situation Standard Contract Measures”.
Article 16 of the “Key Points” stipulates that in the case of cross-border transmission of personal information, the review should focus on the effectiveness of the supervision measures taken by the company to the overseas receiver, and the main points of the review include: “(1) Whether the overseas receiver is understood and mastered (2) Whether to inform the overseas recipient of the requirements of Chinese laws and administrative regulations on personal information protection, and require the overseas recipient to take corresponding protection measures; (3) ) whether to adopt methods such as signing agreements and regular inspections to urge overseas recipients to earnestly fulfill their personal information protection obligations.”
The targets of the above-mentioned review items are all companies that conduct cross-border transmission of personal information, and there is no requirement to directly conduct compliance audits on overseas recipients. According to this regulation, it seems that the domestic enterprises only need to provide necessary documents, agreements, etc. to cooperate with the audit during the audit, and there is no need to require the overseas receiver to provide excessive cooperation. Considering the high cost of communicating with foreign countries and conducting audits abroad when necessary, this requirement in the “Key Points” seems to be more reasonable at present.
However, as mentioned above, Articles 5, 6, and 8 of the “Key Points” generally require partners in the transfer of personal information to undergo compliance audits. Therefore, the overseas recipients in the “Standard Contract for Transferring Personal Information Abroad” still need to provide a certain degree of cooperation for the audit work. For example, Article 3, Item 11 of the “Standard Contract for Transferring Personal Information Abroad” stipulates that the overseas recipient shall “(11) promise to provide the personal information processor with the necessary information required to comply with the obligations of this contract, and allow the personal information processor to make necessary review data files and documents, or conduct compliance audits on the processing activities covered by this contract, and provide convenience for personal information processors to carry out compliance audits.”
Install image acquisition equipment in public places.
Article 11 of the “Key Points” stipulates that in the case of installing image collection and personal identification equipment in public places, the purpose of the collected personal information should be reviewed mainly. Specifically, it should be reviewed “whether it is necessary to maintain public safety, whether There are situations where the collected information is processed for commercial purposes”. This article is consistent with Article 26 of the Personal Protection Law, but it goes further than the Personal Protection Law and defines “commercial purposes” as a red line. Article 26 of the “Personal Protection Law” only stipulates that the above-mentioned use of personal information should be “necessary to maintain public security”, but it does not further clarify the boundary of this use, causing enterprises to face many uncertainties in practice.
However, there is still a gray area between the two uses of “maintaining public safety” and “for commercial purposes”. For example, in practice, enterprises often install image acquisition equipment in semi-open places with public nature in order to maintain their own property safety.
This situation is not necessary to “maintain public safety”, but there is no situation where the collected information is processed for “commercial purposes”. At present, the “Key Points” have not completely resolved this difficult problem, and the compliance of the above situation still needs to be further explored.
automated decision making
The “Key Points” are closely aligned with the “Internet Information Service Algorithm Recommendation Management Regulations”, “Internet Information Service Deep Synthesis Management Regulations” and “Generative Artificial Intelligence Service Management Interim Measures” issued in recent years, requiring personal information processors to use automated decision-making When processing personal information, conduct a security assessment of the algorithm model in advance, file according to relevant national regulations, and conduct a scientific and technological ethics review.
In addition, the evaluation items in the “Key Points” have comprehensively expanded Article 24 of the “Personal Protection Law”, clarifying the specific compliance measures that should be taken to ensure the transparency of automated decision-making and the fairness and impartiality of results, including:
Protect the rights and interests of personal information subjects. In order to protect the right to know of personal information subjects, companies should actively inform individuals in advance of the types of automated decision-making to process personal information and the possible impact. In order to protect the right of refusal of personal information subjects, enterprises should provide protection mechanisms so that users can conveniently refuse to make decisions that have a significant impact on personal rights and interests through automated decision-making methods, or require enterprises to make decisions that have a major impact on users’ personal rights and interests in the application of automated decision-making methods. The impact of the decision is explained. Enterprises should also provide users with the ability to delete or modify user tags for their personal characteristics used in automated decision-making services.
Take technical and organizational measures to protect algorithms and parametric models
Enterprises should take necessary measures to protect algorithms and parameter models, and take corresponding organizational measures to record manual operations in automated decision-making processes such as personal information processing, label management, and model training, so as to prevent malicious manipulation of automated decision-making information and results. From the perspective of the results of automated decision-making, enterprises should prevent automated decision-making from imposing unreasonable differential treatment on individuals in terms of transaction conditions based on consumer preferences and trading habits.
Emergency response to personal information security incidents
Article 27 of the “Key Points” stipulates that when evaluating the emergency response to personal information security incidents, key considerations should be “(2) Whether a notification channel has been established, and whether the departments and individuals performing personal information protection duties can be notified within 72 hours of the incident;… ” At present, there are no laws, regulations or other mandatory regulations that make a mandatory requirement for “reporting within 72 hours after the incident occurs”. If this audit item is retained when the “Key Points” finally come into effect, the enterprise should pay attention to adjusting the corresponding internal mechanism and process of information security incidents to adapt to this new regulation.
Although the “Measures” and “Key Points” have not yet come into effect, considering that companies may audit their existing personal information processing when they conduct compliance audits in accordance with the law in the future, it is recommended that companies plan ahead and start in advance by referring to the standards of the current draft for comments Take the following compliance measures:
Handling of personal information leaves traces In response to audits, it is recommended that companies keep text records related to personal information processing, including consent forms, privacy notices, data transfer agreements, and other internal documents.
Require partners to be audited in data transfer agreements
As mentioned in this article, in the process of compliance auditing, the enterprise may require the cooperation of the partners in the data transmission and accept the audit. It is recommended that enterprises request reasonable cooperation from partners through data transmission agreements and other forms to cope with the entry into force of the “Measures” and “Key Points”.
Algorithm model security assessment, filing, ethics review. If an enterprise involves the use of algorithmic models for automated decision-making, especially when it involves algorithmic recommendation services with public opinion attributes or social mobilization capabilities, it is necessary to pay attention to security assessment, filing, and scientific and technological ethics review in accordance with relevant laws and regulations. It remains to be seen to what extent the final versions of the Measures and Key Points will adopt the content of the consultation draft. If there is any follow-up progress, we will interpret it in a timely manner.
For further information, please contact:
Yang Hongquan, Partner, Anjie Broad