On 12 February 2025, the Cyberspace Administration of China (“CAC”) released the Measures on Personal Information Protection Compliance Audits (“Measures”), which will take effect on 1 May 2025. The Measures clarify the specific requirements for personal information protection compliance audits (“PIPC Audits”) that were first introduced under the PRC Personal Information Protection Law (2021) (“PIPL”). This development marks another significant step in China’s evolving data protection landscape, with important implications for companies operating in China.
Key takeaways from the Measures
(i) PIPC audits for large data handlers
Companies processing the personal information of over 10 million data subjects are required to conduct PIPC Audits at least once every two years. While internal audits are permissible, third-party audits are generally more advisable to enhance credibility and demonstrate compliance efforts.
Additionally, it is important to note that although the Measures do not specify an audit frequency for companies below the above-mentioned threshold, regular PIPC Audits remain a legal must under the PIPL. As such, smaller companies should also conduct PIPC Audits periodically to ensure ongoing compliance.
(ii) Triggers for third-party PIPC Audits
The CAC or other relevant authorities may require companies to conduct PIPC Audits through a designated third-party agency under any of the following circumstances. In such cases, the audit report must be submitted to the relevant authorities.
- High-risk activities: When personal information processing poses significant risks to individual rights or lacks adequate security measures.
- Large-scale incidents: When a data breach affects the personal information of over 1 million data subjects or the sensitive personal information of over 100,000 data subjects.
- Potential mass harm: When processing activities could potentially harm a large number of data subjects.
(iii) Coverage of PIPC Audits
The guideline accompanying the Measures outlines 27 key aspects that PIPC Audits should address. These include, but are not limited to, transparency and legal bases for personal information processing, compliance with personal information sharing and cross-border transfer requirements, enforcement of data subject rights, technical and security measures, and mechanisms for data breach and incident response.
The comprehensive nature of the guideline provides companies with a robust framework to assess their compliance with the PIPL and other relevant data protection laws. However, the wide scope and complexity of PIPC Audits also demand substantial effort. Consequently, companies may need to allocate significant internal resources or even seek external expertise to ensure full compliance, especially when managing the more intricate aspects of PIPC Audits.
(iv) Penalties for non-compliance
Failure to comply with the Measures may result in penalties under the PIPL and other relevant regulations. These penalties could include warnings, fines, or even business suspension in severe cases.
What should companies do?
- Schedule regular PIPC Audits: All companies, regardless of size, should integrate PIPC Audits into their data compliance framework and strategic planning as a top priority.
- Allocate sufficient resources: Due to the complexity of PIPC Audits, companies should allocate dedicated resources or engage external experts when necessary to ensure continuous data compliance and efficient implementation of PIPC Audits.
- Conduct PIPC Audits: Companies should initiate regular PIPC Audits in accordance with the Measures, covering the 27 key areas outlined in the guideline. Audits should be thorough, well-documented, and aligned with both legal requirements and best practices.
- Implement rectification measures: Following each audit, companies must promptly take corrective actions based on audit findings. These measures should address any identified gaps or risks and ensure that the company maintains a compliant data protection framework.
Remarks
Since the introduction of the PIPL in 2021, PIPC Audits have been a statutory obligation for all companies operating in China. However, without detailed implementation guidelines, many companies have struggled to fulfill this requirement, resulting in widespread delays.
To address this, regulators released a draft version of the Measures in August 2023 for public consultation. In late 2024, a pilot PIPC Audit program was further launched, involving major industrial players across various sectors. After more than a year of piloting and improvement, the finalized Measures are now officially promulgated, incorporating inputs from the piloting enterprises.
The release of the Measures marks an important shift in China’s data protection approach: from a regulator-driven model to one that places greater responsibility on companies to ensure their own compliance. Moving forward, businesses must adopt a more proactive approach to data compliance and maintain comprehensive compliance records to demonstrate their efforts to regulators.
