China Data Privacy: New Clarity on Audit and DPO Requirements

The Personal Information Protection Law (PIPL) requires the conduct of audits (Audits) to evaluate compliance with PIPL and other applicable privacy and data security laws and regulations but provides little detail on the standards to be met and procedures to be followed in the conduct of Audits.

China’s data regulator, the Cyberspace Administration of China (CAC), has now finally provided this detail, with the issuance of the Measures for the Administration of Personal Information Protection Compliance Audits (个人信息保护合规审计管理办法, Measures), which will take effect on May 1, 2025. Issuance of the Measures comes 18 months after a draft version was published for public comment in August 2023. The Measures also clarify when a personal information (PI) handler (broadly akin to a “controller” under the GDPR) must appoint dedicated personnel responsible for data protection (using typical industry parlance, a data protection officer or DPO).

This alert offers a quick guide on the conduct of Audits, based on the Measures.

When is an Audit Required; Regular vs. Mandated Audits

Article 54 of PIPL requires a PI handler to regularly audit its PIPL compliance (Regular Audit). Article 64 of PIPL also permits the supervisory authority to mandate that a PI handler engage a professional agency to conduct an Audit where it perceives that a PI processing activity involves high risks or where a security incident has occurred (Mandated Audit).

Regular Audits and Mandated Audits are subject to the following requirements:

The as-issued Measures are less strict on when and how often Regular Audits are conducted than the August 2023 draft contemplated, reflecting CAC’s broader effort to streamline compliance requirements. The draft had contemplated that (1) PI handlers processing PI of more than one million individuals would be required to undertake a Regular Audit at least once a year and (2) other PI handlers would be required to undertake a Regular Audit at least once every two years.

With the as-issued Measures no longer stipulating the frequency for conduct of Regular Audits by smaller-scale PI handlers, those PI handlers have discretion to determine what is a reasonable frequency based on their own circumstances. Since larger-scale PI handlers themselves are held to a two-year cadence, it is reasonable to infer that Regular Audits by other PI handlers can be less frequent than every two years. Relevant circumstances might include the volume, scope, and sensitivity of PI processed, changes in the business operations and related PI processing activities, and the occurrence of security incidents, enforcement actions, and data subject claims.

What Should be Audited?

The Measures include an annex titled Guidelines for Personal Information Protection Compliance Audits (Guidelines), which set forth requirements—or more precisely, control points—for Audits, depending on the area(s) of compliance an Audit is focused on. The Guidelines address Audit requirements for 27 discrete compliance areas under PIPL and other laws and regulations. These requirements are not new; the annex simply summarizes requirements already stipulated in PIPL and other laws and regulations. They cover all aspects of the processing of PI during the data life cycle, including the legal bases for processing, privacy notices, cross-border transfers, data subject rights, security measures, and internal management systems and policies.

On a related note, a draft recommended national standard for the conduct of Audits was issued for public comment in July 2024, contemplating detailed Audit standards covering scope, procedures, and record-keeping. We expect that this standard will be adopted soon, likely before the May 1, 2025, effective date of the Measures.

Who Qualifies as a Professional Agency to Undertake an Audit?

The Measures provide for no special licensing of professional agencies qualified to undertake Audits. They simply need to possess the requisite capabilities to conduct the Audit and the personnel, office, facilitates, and funding needed to provide Audit services. Shortly after, a draft guide was published, contemplating detailed requirements on the capabilities of professional agencies.

Meanwhile, the Measures require that a professional agency:

• make professional judgments on the Audit impartially and objectively;
• maintain the confidentiality of the PI, trade secrets, confidential business information obtained during the performance of Audit services, and delete the relevant information in a timely manner after completion of the Audit;
• not subcontract the Audit work to any other person; and
• not undertake more than three consecutive Audits for the same client.

The draft Measures had contemplated that CAC would work with other regulators to maintain a list of recommended professional agencies, based on annual evaluations. Likely, in order to ease CAC’s administrative burden associated with Audits, this arrangement was jettisoned in the as-issued Measures in favor of voluntary certification under China’s existing certification and accreditation regime.

Are Foreign PI Handlers Required to Conduct Audits?

The Measures provide that they apply only to Audits conducted in China. However, PIPL, including its Audit provisions, technically speaking do apply to those foreign PI handlers falling within the extraterritorial ambit of PIPL. CAC has not yet clarified whether and how foreign PI handlers ought to conduct Audits in practice.

When Is It Necessary to Appoint a DPO?

Article 52 of PIPL states that PI handlers processing PI that exceeds the volume specified by CAC must appoint a DPO. Finally, with the issuance of the Measures, CAC has specified the relevant volume, namely PI of more than one million individuals. One of the key responsibilities of a DPO is to oversee the PI handler’s Audit work.

The Measures also restate Article 58(1) of PIPL, requiring PI handlers that provide important internet platform services, have a very large volume of users, or engage in complex types of business to establish an independent department principally comprising external members to supervise Audits.

What Should PI Handlers Do?

When the Measures take effect on May 1, 2025, PIPL’s Audit provisions will become fully operational. We expect the CAC’s power to require the conduct of Mandated Audits and to review records of Regular Audits will be significant tools for the CAC in its policing of individual companies’ data processing practices.

Conducting regular, robust Audits can help a company demonstrate its compliance with PIPL to regulators in the event of an inspection and to data subjects in the event of a claim. Companies operating in China should incorporate Audit programs into their broader privacy compliance frameworks and properly distinguish such programs from other assessment requirements, including privacy impact assessments, assessments for cross-border data transfers, risk assessments for the processing of important data, and audits for the processing of PI of minors stipulated in the Regulations on the Cyber Protection of Minors.

It may not be practical to have a comprehensive PIPL-compliant Audit program in place by May 1, 2025. Nonetheless, companies might take some initial steps, such as (1) conducting a data mapping exercise to better understand the scope and volume of its PI processing activities, (2) benchmark the company’s current privacy practices against the Guidelines, and (3) rectifying key potential noncompliance issues. Companies that process a large volume of PI or that for other reasons perceive themselves to be at a higher risk of CAC scrutiny (for example, because of recent enforcement against them by the CAC) might push forward now to schedule and prepare for the first Regular Audit. Companies that process PI of more than one million individuals should appoint a DPO.

As further explained in the Terms/Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (PRC) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.