top of page

XL INSIGHTS+
Legal Alerts and News Updates

Search

China Releases Final Measures for Compliance Audits on Personal Information Protection

  • Recently, the CAC released the final Measures for the Administration of Compliance Audits on Personal Information Protection (“Measures”), which will come into effect on May 1, 2025.

  • The Measures specifies the scenarios where the CAC may request handlers to conduct audits and where handlers are required to appoint a personal information protection officer.


On August 3, 2023, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Administration of Compliance Audits on Personal Information Protection, which were open for public comment until September 2, 2023. In February 2025, the CAC released the final Measures for the Administration of Compliance Audits on Personal Information Protection (“Measures”), which will come into effect on May 1, 2025. The Measures outline requirements and procedures for compliance audits under the Personal Information Protection Law (“PIPL”).

 

Who Is Required to Conduct Compliance Audits?

The PIPL requires all personal information handlers to regularly conduct compliance audits on their personal information handling activities (“Self-Audits”). The Regulation on the Protection of Minors in Cyberspace requires handlers that handle minors’ personal information to conduct Self-Audits at least once a year. The Measures require handlers that handle personal information of more than 10 million individuals to conduct Self-Audits at least once every two years. The Measures do not specify the frequency of Self-Audits for handlers handling personal information of less than 10 million individuals. These handlers should therefore determine a reasonable frequency for the conduct of Self-Audits based on their own circumstances.

 

The PIPL also provides that the CAC and other authorities may request the handlers to entrust an external specialized agency to conduct compliance audits on their handling activities (“Requested Audits,” together with Self-Audits, collectively “Compliance Audits”). The Measures mandate Requested Audits in the following three scenarios:

 

  1. where there is a serious impact (as determined by the CAC or other Chinese authorities) on individuals’ rights or a serious lack of security measures;

  2. where handling activities may infringe upon the rights of numerous individuals; or

  3. where there has been a security incident resulting in the leak, tampering, loss, or damage of: i) personal information of over one million individuals, or ii) sensitive personal information of over 100,000 individuals.

 

Given the extraterritorial applicability of the PIPL, handlers located outside the PRC are not exempt from the PIPL’s Compliance Audits requirement. However, the Measures state that they apply to Compliance Audits conducted within the PRC, and it is unclear whether the Measures apply to overseas handlers. If the Measures are not mandatory for overseas handlers, it is unclear what requirements or guidelines overseas handlers should follow in conducting Compliance Audits.

 

How Should Handlers Conduct Compliance Audits?

Handlers have the choice of conducting Self-Audits through internal departments or external specialized agencies, but they must employ external specialized agencies to conduct Requested Audits.

 

Article 52 of the PIPL requires handlers handling personal information above the threshold specified by the CAC to appoint a personal information protection officer (“PIPO”). The Measures further clarify that handlers handling personal information of more than one million individuals are required to appoint a PIPO. The PIPO must have relevant work experience and expertise in relevant laws and regulations on personal information protection. The PIPO is responsible for coordinating internal departments and personnel, putting forward options and suggestions prior to decision-making on significant matters relating to the handling of personal information, halting any non-compliance in the handling of personal information, and taking necessary corrective measures.

 

Handlers handling personal information of less than one million individuals do not need to appoint a PIPO. In those instances, Compliance Audits should be coordinated by their internal departments (e.g., compliance, legal, IT, etc).

 

In order to conduct Compliance Audits, external specialized agencies must have the necessary capabilities, including qualified personnel, facilities, and funds. The agencies are encouraged to obtain certification in accordance with the Regulations of the People’s Republic of China on Certification and Accreditation. The same agency or person responsible for conducting an audit may not subcontract Compliance Audits or conduct more than three consecutive Compliance Audits for the same handler.

 

What Must be Audited?

The Measures provide a guidelines for Compliance Audits that cover the following aspects of audits:

 

  1. the legal basis for handling personal information;

  2. handling rules;

  3. performance of notification obligations;

  4. handling with joint handlers, entrusted parties, and/or other handlers;

  5. special handling activities (e.g., automatic decision-making, disclosure of personal information, installing image-collecting and personal information identification equipment in public places, handling of disclosed personal information, handling of sensitive personal information, and cross-border personal information transfer);

  6. protection of individuals’ PIPL rights;

  7. obligations of handlers; and

  8. internet platform services providers (if applicable).

 

A Compliance Audit of a cross-border personal information transfer must include a review of compliance with the PIPL and the Measures on Facilitating and Regulating Cross-Border Data Flows. For example, it should assess whether the non-Critical Information Infrastructure Operators’ (“Non-CIIOs”) transfer of personal information (excluding sensitive personal information) of at least 1,000,000 individuals per calendar year or Non-CIIOs’ transfer of sensitive personal information of at least 10,000 individuals per calendar year has passed a CAC security assessment, or whether the Non-CIIOs’ transfer of personal information (excluding sensitive personal information) of 100,000–999,999 individuals per calendar year, or Non-CIIOs’ transfer of sensitive personal information of 1-9,999 individuals per calendar year has obtained a personal information protection certification or passed the Standard Contractual Clauses (SCCs) filing.

 

Implications for IHEs

The conducting of Compliance Audits is not a new requirement; the PIPL has always required U.S. higher education institutions handling personal information of individuals in China to conduct Self-Audits. Although it is unclear whether the Measures apply to handlers outside China, U.S. institutions may want to proactively consider implementing the Measures that detail the requirements and guidelines for personal information handlers to conduct Compliance Audits. In particular, institutions of higher education that have established Wholly Foreign Owned Enterprises (WFOEs) in China, or who have in-country collaborations with Chinese entities, will likely need to comply with the Measures. Additionally, institutions that handle the personal information of more than one million individuals need to appoint a PIPO, who will be responsible for the Compliance Audits. While it may be an additional burden, conducting Compliance Audits will help institutions ensure compliance with the PIPL and relevant regulations and guidelines.



© 2024 XL Law & Consulting P.A. - A U.S. Corporation - Privacy Policy - Cookies Policy - Contact Us

 - 

The information provided on the XL Law & Consulting website is for educational purposes only. Nothing on this website should be construed as or relied upon as legal or other professional advice, nor does use of this website create an attorney-client relationship.

bottom of page