Data Protection Laws in China: New Draft Measures Offer Clarity on Compliance Audits under the PIPL

On 3 August 2023, the Cyberspace Administration of China (“CAC”) released the Administrative Measures for Personal Information Protection Compliance Audits (Draft for Comment) (《个人信息保护合规审理管理办法（征求意见稿）》) (“Draft Measures”), which are open for public comment until 2 September 2023. The Draft Measures are being issued to implement the general compliance audit requirements under Articles 54 and 64 of the PRC Personal Information Protection Law (“PRC PIPL”).

Until now, a number of questions pertaining to such audits were unclear, such as the frequency of the audit, who must perform it, whether it should be filed with authorities, etc. All of these questions have been addressed under the Draft Measures, which provide welcomed guidance on the PRC PIPL, while also opening up a few new areas of uncertainty.

Compliance Requirements under the PRC PIPL

As mentioned, the Draft Measures are intended to clarify the compliance audit requirements under Articles 54 and 64 of the PRC PIPL. Those articles provide that:

(a) a personal information (“PI”) handler[1] must audit its compliance with PRC laws and regulations on a regular basis (“Regular Compliance Audit”);[2] and

(b) where PRC regulators (in the performance of their duties) discover considerable risks in a PI handler’s PI processing activities or the occurrence of a security incident, they may request such PI handler to engage a third-party professional institution to carry out a compliance audit on its PI processing activities (“Regulator-Initiated Compliance Audit”).[3]

The Draft Measures provide detailed rules and requirements on how these two types of compliance audits should be conducted.

Regular Compliance Audits

How “regular” are Regular Compliance Audits? It depends on the volume of PI that a PI handler handles. For PI handlers processing the PI of more than 1 million individuals, a Regular Compliance Audit must be carried out at least once per year. For all other PI handlers, a Regular Compliance Audit must be conducted at least once every two years.

A Regular Compliance Audit can be carried out by a PI handler itself or by a third-party professional institution engaged by the PI handler. Unlike with Regulator-Initiated Compliance Audits, the Draft Measures are silent on when Regular Compliance Audits must be completed by, and whether the Regular Compliance Audits reports must be filed with PRC regulators.

Regulator-Initiated Compliance Audits

The Draft Measures contain stricter rules for Regulator-Initiated Compliance Audits. In particular:

• Professional Institution Engagement. Upon receiving a notice from the PRC regulator(s), the PI handler must engage a professional institution to carry out a Regulator-Initiated Compliance Audit. There is no specific timeline for engaging a professional institution – the Draft Measures only indicate that it must be done promptly.
• Deadline to Complete the Audit. Once engaged, the professional institution must complete the Regulator-Initiated Compliance Audit within 90 business days. Although this deadline can be extended upon the approval of PRC regulators if the situation is complex, the current version of the Draft Measures does not specify when the calculation of the 90 business days should commence. For instance, should the 90 business days be calculated from the date of the notice from the PRC regulators, the date on which a professional institution is engaged, or from the date on which the professional institution commences its auditing work?
• Report Filing. Once a Regulator-Initiated Compliance Audit is completed, the professional institution should issue an audit report. The audit repot must be signed by the individual in charge of the compliance audit and the individual in charge of the professional institution, and must also be affixed with the professional institution’s company chop.
• Rectification Requirement. The PI handler is also required to implement the rectification suggestions issued by the engaged professional institution, and such rectification must be verified by the engaged professional institutions and then filed with the applicable PRC regulator.

Requirements on Professional Institutions

The Draft Measures stipulate that the third-party professional institutions that conduct Regulator-Initiated Compliance Audits will be “independent” and “objective”. To this end, professional institutions will enjoy certain statutory powers when conducting Regulator Initiated Compliance Audits, such as the power to request relevant documents, to access the premises where PI is processed, to observe PI processing activities, to investigate business activities and information systems involved in PI processing, to review and obtain data related to PI processing, and to interview relevant personnel involved in the processing of PI.

To better ensure independence, a professional institution is not permitted to carry out more than three consecutive compliance audits for the same audit subject. However, it is currently unclear what constitutes an “audit subject” and if it is different from a PI handler.

The Draft Measures also provide that the CAC will work with public security organs and other government authorities to create a list of recommended professional institutions that PI handlers will be encouraged to select from for compliance audit activities. The recommended institutions will be evaluated and assessed annually, and the recommendation list will be adjusted accordingly.

The List of Key Reference Points: A Valuable Resource

In an appendix, the Draft Measures contain a list of key points to be covered when carrying out compliance audits. These points are derived from the requirements of the PRC PIPL and other laws and regulations. They are lengthy (longer than the Draft Measures itself), fairly detailed, and will be a valuable resource for any in-house teams seeking to develop their own Regular Compliance Audit systems. Some key areas include:

• Establishing the legal basis for PI processing, such as whether the required consent has been obtained for PI processing, and if such consent can be waived if no consent is obtained.
• Reviewing PI processing rules, including reviewing whether the rules have been sufficiently and appropriately disclosed to PI subjects.
• Key issues to be reviewed under special PI processing scenarios, such as co-processing activities, transferring PI to third parties, processing sensitive PI, transferring PI outside of China, installing image capturing or personal identification equipment in public places, using PI in automated decision-making, transferring PI in the case of mergers, restructurings, dissolutions, or bankruptcy, etc.
• Reviewing internal PI security policies and technical measures, including checking various internal policies required for PI protection, internal management systems and operating procedures, technical security measures such as encryption and de-identification, training plans, and the implementation of emergency plans for personal information security incidents.
• Key areas to be reviewed for large internet platforms, such as the legality and effectiveness of the platform rules, whether an independent organization has been established to supervise PI protection, and the information disclosed under the annual PI protection social responsibility report.

Legal Consequences of Failing to Comply with Compliance Audit Requirements

Failing to comply with the compliance audit requirements will result in a PI handler being subject to the penalties described under the PRC PIPL. As there are no specific penalties for failing to comply with the compliance audit requirements under the PRC PIPL, the general penalty rules under the PRC PIPL will likely apply. These penalties include orders to adopt rectification measures, warnings, and suspension or termination of any online systems or applications used to unlawfully process PI. Additionally, in cases where rectification measures are not adopted as ordered, the PI handler could be subject to a fine of up to RMB 1 million, and any person in charge or otherwise directly liable for the violation could be fined between RMB 10,000 and RMB 100,000. In extremely serious cases, the penalty imposed on PI handlers could be up to RMB 50 million or 5% of the PI handler’s revenue in the preceding year.

The Draft Measures also address violations by professional institutions. In particular, if a professional institution issues a false or inaccurate report, the PI handler and related parties may submit a complaint to the relevant PRC regulators. If the complaint is verified, the professional institution may be permanently banned from being included in the catalog of recommended professional institutions.

Conclusion

The Draft Measures provide welcomed guidance on the compliance audit requirements under the PRC PIPL. PI handlers now have clarity on when to conduct Regular Compliance Audits and how to handle a notice from PRC regulators to undertake a Regulator-Initiated Compliance Audit. Furthermore, PI handlers now have a detailed resource – the key reference points – to help them develop their own PI compliance audits.

However, as the Draft Measures are still subject to public comment, we expect further clarifications on a few areas, such as the provisions on Regulator-Initiated Compliance Audits. For instance, the Draft Measures are currently silent on what would happen if the 90-day deadline is missed due to delays caused by a professional institution. In addition, the Draft Measures simply indicate that a PI handler must implement the suggestions of a professional institution – there is little flexibility for a PI handler if the suggestions provided by a professional institution are impractical or unrealistic. Further clarification or modifications to the Draft Measures to address these and other issues would be welcomed following the comment period.

[1] Under the PRC PIPL, “PI handler” is defined as “any individual or organization that independently determines the purpose and manner of collecting, storing, using, processing, transferring, providing, publishing, or deleting personal information”.

[2] See Article 54 of the PRC PIPL.

[3] See Article 64 of the PRC PIPL.