Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRM

Email: zhu.yingying@mdlaw.cn

Date: March 18, 2025

Introduction

Under the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), “Personal Information handlers1 (the “PI handlers”) shall audit on a regular basis the compliance of their processing of ‘personal information’ (the “PI”)  with laws and administrative regulations2.” The PIPL further regulates that “Where the authorities finds that there are relatively large risks in PI processing activities or any PI security incident occurs, it may …… require the PI handlers to commission a professional institution to audit the regulatory compliance of their PI processing activities……”.3

To clarify the requirements and rules for the PI protection compliance audits, on February 14, 2025, the Cyberspace Administration of the People’s Republic of China (the “CAC”) issued the "Measures for the Administration of Compliance Audit for Personal Information Protection" (the "Measures ").4   At the same time, a useful and practical reference, “Guidelines for Personal Information Protection Compliance Audit”, was released in the form of an attachment to the Measures.

The Measures, which will start to take effect from May 1st, 2025, set out to “provide systematic, targeted and operational norms for PI handlers to carry out PI protection compliance audit and improve the legal compliance level of PI processing activities, so as to protect the rights and interests of the PI subjects”.5

Highlights of the Measures

1) What is “PI Protection Compliance Audit”?

The term "PI Protection Compliance Audit" in the Measures refers to the supervision activities that review and evaluate whether the PI processing activities of PI handlers comply with laws and administrative regulations.

To make it simple, "PI Protection Compliance Audit" is the review and evaluation of PI processing practices and systems of PI handlers to identify any potential risks, then PI handlers should develop corrective action plans to address any risks that have been identified. It is also important to document the process for conducting the compliance audit, along with the steps PI handlers will take if potential issues are identified during the auditing process. The documentation can help PI handlers red flag any amendments that need to be made, and for administrative supervision purposes, the documented records should be preserved for at least three years.

2) When do you need a Compliance Audit?

According to Measures, there are two situations in which PI handlers shall carry out a PI protection compliance audit:

First, conducting compliance audits on a regular basis, that is, PI handlers should regularly conduct audits on their compliance with laws and administrative regulations in their processing of PI. The Measures specifically require that PI handlers that process PI of more than 10 million people should conduct a compliance audit at least once every two years. Other PI handlers may reasonably determine the frequency of regular compliance audits based on their own circumstances.

Second, conducting compliance audits whenever required to do so, that is, if the in-charge-authorities finds that the PI processing activities fall into any of the following situations, the PI handlers may be required to commission a professional institution to conduct compliance audits of their PI processing activities:

1. PI processing activities that seriously affect the rights and interests of individuals or are in serious lack of security measures or might induce other major risks;

2. PI processing activities that may infringe upon the rights and interests of a large number of individuals;

3. PI security incidents happened, resulting in leakage, tampering, loss, damage of more than 1 million people's PI or more than 100,000 people’s sensitive PI.

The Measures specifically require that for the same PI security incident or risk, PI handlers shall not be repeatedly required to entrust professional institutions to carry out PI protection compliance audits.

3) What should you do when required to conduct a Compliance Audit?

The Measures set forth the following requirements for PI handlers to carry out compliance audits when required to do so:

PI handlers shall select a professional institution if required to do so and complete the compliance audit within the prescribed time. If the situation is complicated, the time limit can be extended appropriately after the approval of in-charge-authorities.

After completing a compliance audit, PI handlers shall submit the audit report issued by the professional institution to the in-charge-authorities, and rectify the problems found in the process when required to do so. Within 15 working days after the completion of the rectification, a rectification report shall be submitted to the in-charge-authorities.

The Measures also emphasize that PI handlers that process the PI of more than 1 million people shall designate a person accountable for the protection of PI to be responsible for the compliance audits. PI handlers providing important Internet platform services, hosting a large number of users, or operating under a complex business type shall establish an independent body composed mainly of external members to supervise the compliance audits.

However, there is no further explanation as to what might constitute “important Internet platform services”, “a large number of users” or “a complex business type”, which might be subject to the discretion of the in-charge-authorities in the implementation of the Measures.

4) What are the Requirements for Professional Institutions to conduct a PI Protection Compliance Audit?

The Measures put forward the following requirements for professional institutions to conduct a PI protection compliance audit:

First, they should have the ability to carry out the compliance audit, namely, they should have auditors, places, facilities and funds that are suitable for the service.

Second, they shall make professional judgments in an honest, impartial and objective manner, and keep confidential PI, trade secrets and confidential business information obtained during the performance of auditing duties in accordance with the law; they shall not disclose or illegally provide the same to others and shall promptly delete relevant information after the completion of the compliance auditing work.

Third, once commissioned to do the audit, they are prohibited from re-designating other institutions to perform the job.

Fourth, the same professional institution and its associated institutions, or the same person in charge of compliance audits shall not conduct more than three consecutive PI protection compliance audits on the same audit object.

As set forth in the Measures, the compliance audit reports issued by professional institutions would serve as important references for the in-charge-authorities to carry out supervision and management on the PI processing activities of PI handlers.

Key Takeaways

• For businesses to stay compliant with the PIPL, they should regularly conduct compliance audits on their regulatory compliance in the processing of PI. PI handlers that process PI of more than 10 million people should conduct a PI protection compliance audit at least once every two years. Other PI handlers may reasonably determine the frequency of regular compliance audits based on their own circumstances.

  
  

• It is also important to document the process for conducting the compliance audit, along with the steps the PI handlers will take if potential issues are identified during the process. The documented records should be preserved for at least three years.

  
  

• Professional Institutions are prohibited from re-designating other institutions to carry out a compliance audit. The same professional institution and its associated institutions, or the same person in charge of compliance audits shall not conduct more than three consecutive PI protection compliance audits on the same audit object.

  
  

• If you are a PI handler that processes PI of more than 1 million people, you shall designate a person accountable for the protection of PI to be responsible for the compliance audits. PI handlers providing important Internet platform services, hosting a large number of users, or operating under a complex business type shall establish an independent body composed mainly of external members to supervise the compliance audits. When not sure if you fit the bill, regulatory and professional opinions have to be consulted.

Conclusion

There is an old Chinese proverb that says, "one prevention is better than ten cures". It is important for PI handling businesses to perform regular audits of their data processing practices and systems so that issues and risks can be red-flagged and dealt with early on, that is, to nip the problems right in the bud. By pulling time and resources into a thorough PIPL compliance audit and doing it regularly, businesses with everlasting commitments to data security and users’ PI privacy can develop a competitive edge and ensure their long-term success in this complex and ever-evolving regulatory landscape.

[1]Personal Information handlers determine the purpose and means of processing of personal information and operate in a way similar to “data controllers” under other privacy and data protection laws (e.g., the European Union’s General Data Protection Regulation (2016/679) (“GDPR”).

[2]See Article 54 of the PIPL.

[3]See Article 64 of the PIPL.

[4]Source: the Cyberspace Administration of China; for further details of the Measures,

see https://www.cac.gov.cn/2025-02/14/c_1741232791991016.htm.

[5]See https://www.gov.cn/lianbo/bumen/202502/content_7003767.htm.