China to Require Regular Compliance Audits for Personal Information Protection

Posted by Written by Arendse Hul Reading Time: 10 minutes

A new set of draft measures require all companies that process personal information in China to undergo regular compliance audits to ensure compliance with China’s regulations on personal information protection. Under the draft rules, companies can either appoint an internal department or a third-party agency to conduct the audit. Auditors will oversee whether companies comply with the China Personal Information Protection Law and other related regulations, including compliance with cross-border personal information transfer regulations.


The Cybersecurity Administration of China (CAC) has released a new set of draft measures requiring companies that process the personal information (PI) of subjects in China to undergo regular compliance audits. 

The new measures have been formulated under China’s Personal Information Protection Law (PIPL), the overarching law governing the handling of PI in China. The compliance audit of PI processors will assess whether companies are in compliance with the PI protection requirements of the PIPL, as well as other auxiliary measures and regulations. 

Although the new measures do pertain to the companies engaged in PI processing themselves, the rules that are laid out in the measures are mostly directed at the professional third-party institutions that can be entrusted to conduct compliance audits on behalf of companies. 

The CAC will be soliciting opinions from the public on the measures until September 2, 2023. 

Who has to conduct regular compliance audits?

The draft measures stipulate that companies that process the PI of over one million people are required to undergo a compliance audit at least once a year. All other companies that process PI are required to undergo a compliance audit at least once every two years.

Companies are permitted to carry out compliance audits on their own using either an internal organization or an entrusted third-party agency. Whichever organization carries out the audit must do so in accordance with the new draft measures. 

The national and local cybersecurity departments, in conjunction with the public security organs and other relevant departments of China’s cabinet, the State Council, will be required to establish a catalog of recommended professional institutions to conduct PI protection compliance audits. This catalog will be updated on a yearly basis. Companies will be encouraged to select the agency from this catalog to conduct the audits. 

What is PI and PI processing? 

“PI” is defined very broadly in the PIPL and is described as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”.  

This means PI can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” PI, which is subject to stricter protection requirements. Sensitive PI includes (but is not limited to):   

  • Biometric data (such as fingerprints, iris and facial recognition information, and DNA);  
  • Data pertaining to religious beliefs or “specific identities”;
  • Medical history; 
  • Financial accounts; 
  • Location and whereabouts; and 
  • Any PI of minors under the age of 14. 

The “processing” of PI is defined in the PIPL as “the collection, storage, use, processing, transmission, provision, publication, and erasure of PI”. 

Meanwhile, the cross-border transfer of PI, or “PI export activity” as it is sometimes called in relevant regulations, is defined as:  

  • When PI processors transmit and store PI that has been collected and generated during domestic operations overseas; 
  • When PI collected and generated by PI processors is stored within China, but overseas institutions, organizations, or individuals can inquire, retrieve, download, and export the PI; and
  • Other acts of exporting PI abroad as specified by the CAC. 

What are the obligations of the company when undergoing a third-party audit? 

Where a company entrusts a third-party agency to carry out the audit, it must ensure that the agency is able of carrying out the following activities during the audit: 

  1. Require the company to provide or assist in reviewing relevant documents or materials;
  2. Access places related to PI processing activities; 
  3. Observe the PI processing activities taking place on the premises; 
  4. Investigate relevant business activities and the information systems they rely on; 
  5. Inspect and test equipment and facilities related to PI processing activities; 
  6. Obtain and consult data or information related to PI processing activities; 
  7. Interview personnel involved in PI processing activities; 
  8. Conduct investigations, question, and collect evidence on relevant issues; and 
  9. Other duties that are necessary to carry out compliance audit work. 

In normal scenarios, third-party agencies should complete the audit within 90 working days but may apply for an extension if the situation is complex. 

What is assessed during the compliance audit? 

The compliance audit scope depends on the company’s specific PI processing activity.  

In addition to the draft measures, the CAC released a reference document for the agency or department carrying out the audit work, which outlines which areas of compliance the department or agency tasked with completing the audit should focus on during the audit. 

There are 18 different areas of audit outlined in the reference document: 

  1. The basic conditions for the legality of the PI processing activity;
  2. Compliance with PI processing rules;
  3. Compliance with the duty of disclosure when handling PI;
  4. Compliance with regulations on the joint processing of PI with other companies;
  5. Compliance with regulations on entrusting PI processing to another company;
  6. Compliance with regulations on the transfer PI due to mergers, reorganizations, divisions, dissolutions, bankruptcy declarations, and so on;
  7. Compliance with regulations on the provision of PI that a company processes to another company;
  8. The transparency of automated decision-making and the fairness and impartiality of the results of automated decision-making when a company employs this mechanism to process PI;
  9. Compliance with relevant regulations when a company discloses PI that it processes;
  10.  The legality of the installation of image collection and personal identification equipment in public places and the use of the PI collected by companies;
  11. Compliance with or possible violations of regulations on handling disclosed PI;
  12. Compliance with relevant regulations on the handling of “sensitive PI”;
  13. Compliance with regulations on the handling of the PI of children under the age of 14;
  14. Compliance with regulations on the transfer of PI overseas;
  15. The effectiveness of the measures of companies that transfer PI overseas to ensure that the activities of the overseas PI recipient meet the PI protection standards stipulated in the PIPL;
  16. Review of the PI deletion procedures for ensuring individuals’ rights to delete their PI;
  17. Compliance with relevant regulations to protect individuals’ right to exercise their PI rights and interests; and
  18. Compliance with requirements for companies to respond to individual applications and explain their PI processing rules to users. 

Some of these areas are applicable only in specific situations, while some will apply to all companies engaged in PI processing. 

For instance, the “basic conditions” for the legality of the company’s PI processing activities will apply to most companies. The reference document outlines six key “basic conditions” that should be met during the audit, which are summarized in the table below. 

Basic Conditions for PI Processing Compliance Audit (Draft Rules)

  Audit condition  Corresponding legal requirement  Relevant legislation 
1  Whether personal consent has been obtained from the PI subject* for processing PI, and whether the consent is voluntary and clearly made on the premise that the PI subject is fully informed.  Only where the consent is obtained from the individual concerned may a company process PI.  Article 13 Item 1 of the PIPL 
2  After obtaining personal consent, and if the purpose, method, and type of PI being processed changes, whether the company has obtained separate personal consent for the new processing scenario.  If the purpose or method of processing PI or the type of PI to be processed changes, the individual’s consent shall be obtained again.  Article 14 Paragraph 2 of the PIPL 
3  Whether the company provides convenient ways for individuals to withdraw their consent to process their PI.  Where the processing of PI is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The PI processor shall provide convenient means to withdraw consent.  Article 15 Paragraph 1 of the PIPL 
4  Whether the personal consent to process the PI has been recorded.  NA  NA 
5  Whether there is a situation in which the company refuses to provide products or services on the grounds that the individual does not agree to the processing of their PI or withdraws their consent; except in cases where the processing of PI is necessary for the provision of the products or services in question.  A company shall not refuse to provide products or services on the grounds that the individual does not agree to process their PI or withdraws their consent unless the processing of PI is necessary for providing products or services.  Article 16 of the PIPL 
6  When a company processes PI without obtaining the individual’s consent, whether the activity falls under the circumstances in which the individual’s consent is not required.  Companies may process the PI of an individual without their consent in the following scenarios: 

  • Where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according with laws and collective contracts concluded according to law; 
  • Where it is necessary for the performance of statutory duties or statutory obligations; 
  • Where it is necessary for coping with public health emergencies or for the protection of the life, health, and property of a natural person; 
  • Where activity such as news reporting and supervision of public opinion is carried in the public’s interest and the processing of PI is within a reasonable scope; 
  • Where the PI is disclosed by individuals themselves or other legally disclosed PI is processed within a reasonable scope in accordance with the provisions of the PIPL; and 
  • Other circumstances provided by laws and administrative regulations. 
Article 13 Items 2 to 7 of the PIPL 
*PI subject refers to the user of the digital service (the end consumer) from which the PI has been collected. 

Compliance audit for cross-border PI transfer 

One of the areas of the compliance audit that may impact foreign companies and multinationals in particular surrounds the regulations on the cross-border transfer of PI. 

Under the PIPL, companies that need to transfer a certain volume of PI of Chinese subjects overseas (or enable overseas staff members to access PI stored in China) are required to adhere to certain procedures and regulations. 

Depending on the volume and type of PI being transferred, this may involve signing a standard contract with the overseas entity that will receive the PI, undergoing a security review by the CAC, or getting certified by a third-party agency. 

The focus of the compliance audit will therefore be on whether the company meets the requirements set out in the various regulations for the export of PI. These requirements are summarized in the table below. 

Focus Areas for Compliance for Cross-Border PI Transfer (Draft Rules)

  Audit focus  Corresponding legal requirement  Relevant legislation 
1  Whether the PI transferred overseas by critical information infrastructure operators (CIIOs) and PI processors who process the PI of more than one million people have passed the security assessment organized by the CAC.  Companies must undergo a security assessment by the CAC if they wish to export data if they are:   

  • CIIOs and data processors that process PI of more than one million people providing PI overseas. 
Article 38 of the PIPL 

Article 4 Item 2 of the Measures for Data Export Security Assessment  

2  Whether PI processors who have provided the PI of 100,000 people or the sensitive PI of 10,000 people overseas since January 1 of the previous year have passed a security assessment organized by CAC.  Companies must undergo a security assessment by the CAC if they wish to export data if they are: 

  • Data processors that have transferred the PI of over 100,000 people or the “sensitive” PI of over 10,000 people overseas since January 1 of the previous year. 
Article 38 of the PIPL 

Article 4 Item 3 of the Measures for Data Export Security Assessment  

3  Whether the company has transferred PI stored in China to a foreign judicial or law enforcement agency, and if so, whether it has been approved by the Chinese competent authority of the People’s Republic of China.  Without the approval of the competent Chinese authority, PI processors shall not provide the PI stored within China to judicial or law enforcement agencies outside China’s territory.  Article 41 or the PIPL 
4  If the international treaties and agreements concluded or joined by the People’s Republic of China have provisions on the conditions for providing PI outside the territory of the People’s Republic of China, whether the provisions are followed.  The competent Chinese authority shall, in accordance with relevant laws and international treaties and agreements concluded or participated in by China, or in accordance with the principle of equality and reciprocity, handle requests from foreign judicial or law enforcement agencies for the provision of PI stored in China.  Article 41 or the PIPL 
5  Whether, in accordance with the regulations of the CAC, the PI protection certification has been carried out by a professional institution, or a contract has been signed with an overseas recipient in accordance with the standard contract formulated by the CAC, or it has complied with laws, administrative regulations, and the provisions of the CAC.  Companies that have processed the PI of less than 100,000 people and/or the “sensitive” PI of under 10,000 people since January 1 of the previous year can choose to undergo third-party certification or sign a standard contract with the overseas recipient to export PI overseas.  Article 38 of the PIPL 

Implementation Rules for Personal Information Protection Certification 

Article 4 of the Measures for Standard Contracts for Exporting Personal Information Overseas 

6  Whether the company understands the impact of the PI protection policies and cybersecurity environment of the country or region where the overseas recipient is located on the outbound PI.  Companies must conduct a PI protection impact assessment if they provide PI to overseas parties. 

Before transferring PI impact assessment must assess the impact that the PI protection policies and regulations in the country or region where the overseas recipient is located may have on the security and protection of the PI. 

Article 55 Item 4 of the PIPL

Article 5 Item 5 of the  

Measures for Standard Contracts for Exporting Personal Information Overseas 

 

7  Whether the company has violated regulations related to the provision of PI to organizations or individuals who are restricted or prohibited from receiving PI.  The CAC may add overseas organizations or individuals who have engaged in PI processing activities that damage the rights and interests of Chinese citizens or endanger China’s national security or public interests to a list of entities that are restricted or prohibited from receiving PI. The CAC may also announce the addition of these entities to the list and take measures to restrict or prohibit the provision of PI to these entities.  Article 42 of the PIPL 
Note: Above requirements are not exhaustive. 

Implications for foreign companies 

The requirements for regular compliance audits, if passed into law in their current form, will add an additional compliance burden for foreign companies operating in China, similar in nature to statutory financial audits. However, China has now already been building out its PI protection regulatory framework for a few years, and most companies operating in China will have begun to implement processes to comply with these regulations.

For this reason, although the audit itself represents an additional process, companies that are already working to comply with regulations do not have any reason to be concerned with the outcome of an audit. Additionally, compliance audits may help companies to better understand how the regulations will be implemented. 

Transparency and cooperation with auditors will be key to ensuring smooth auditing procedures. Companies that have not implemented procedures to comply with current PI protection laws are advised to take steps to rectify any potential oversights or violations as soon as possible. 

About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, Dubai (UAE), and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.