Enhanced Compliance with Personal Information Protection

On August 3, 2023, the Cyberspace Administration of China released the “Administration Measures for Personal Information Protection Compliance Audits (Draft for Solicitation of Comments)” (“Draft Measures”) which specifies the requirements for personal information processors to comply with personal information protection audits.

1. Application Scope

The Draft Measures are derived from Article 54 of the Personal Information Protection Law of the People’s Republic of China (“PIPL”), which requires personal information processors to conduct regular compliance audits on their processing of personal information in accordance with laws and regulations, and Article 64, which allows the competent authority responsible for personal information protection to interview the legal representative or main person in charge of a personal information processor or request the processor to commission a professional organization to conduct compliance audits if it detects significant risks in personal information processing activities or occurrence of personal information security incidents. The personal information processor shall take measures to rectify the issues identified. According to the definition in the PIPL, “personal information processor” refers to the organization or individual that independently determines the purposes and methods of processing personal information. Personal information processing includes collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.

In daily business and management operations, all enterprises are inevitably involved in collecting, storing, and using personal information of their employees, in addition to possibly handling personal information of non-employee individuals. Therefore, all enterprises are subject to the governance of the Draft Measures and are required to conduct personal information protection compliance audits in accordance with its requirements.

2. Compliance Audit Requirements

Personal information processors are required to conduct personal information protection compliance audits at least once every two years. If the cumulative number of personal information processed by a personal information processor exceeds one million individuals, it must conduct a compliance audit at least once a year.

Personal information protection compliance audits can be conducted through (1) self-audits or (2) audits required by competent Authority.

 (1) Self-audits

Personal information processors can conduct personal information protection compliance audits by (an internal department of) themselves or entrust third-party professional organizations to conduct the audits.

(2) Audits required by competent Authority

If the competent Authority responsible for personal information protection detects significant risks in personal information processing activities or personal information security incidents, it may require the personal information processor to commission a third-party professional organization to conduct compliance audits, which should be completed within 90 working days. The deadline can be extended with the approval of the competent Authority. When the compliance audit is completed, the personal information processor is required to submit the compliance audit report issued by the third-party professional organization to the competent Authority. If the third-party professional organization provides rectification suggestions, the personal information processor should implement the rectification and have it reviewed by the third-party professional organization before submitting it to the competent department.

A third-party professional organization can conduct personal information protection compliance audits for the same audit target for a maximum of three consecutive times.

3. Key Points of Compliance Audits

Compliance audits focus on the legality of personal information processors’ activities at each stage of personal information processing and emphasize the protection of the legitimate rights and interests of individuals. The key points include: 

(1) legal basis for personal information processing activities, (2) rules for personal information processing, (3) fulfillment of notification obligations, (4) examination of joint personal information processing with others, (5) examination of subcontracting personal information processing, (6) examination of personal information transfer due to merger, reorganization, division, dissolution, or bankruptcy, (7) examination of providing personal information to third parties, (8) examination of the use of automated decision-making in personal information processing, (9) examination of public disclosure of personal information, (10) examination of the legality and purposes of installing image collection and personal identity recognition devices in public places, (11) examination of processing publicly available personal information, (12) examination of processing sensitive personal information, (13) examination of processing personal information of individuals under the age of 14, (14) examination of providing personal information overseas and related necessary measures, (15) examination of the right to deletion of personal information, (16) examination of ensuring individuals’ exercise of personal rights and interests, (17) examination of responding to individual’s requests, (18) examination of assuming subject responsibilities, (19) examination of internal control systems, (20) examination of security technical measures, (21) examination of internal training plans and implementation, etc.

4. Relationship between Compliance Audits and Self-Assessment/Impact Assessment

If a personal information processor intends to provide personal information overseas, it must choose one of three paths: security assessment, personal information protection certification, or standard contract filing. Under the security assessment path, the personal information processor is required to conduct a self-assessment of data export risks; under the standard contract filing path, the personal information processor is required to conduct a personal information protection impact assessment. Although self-assessment/impact assessment overlaps to some extent with compliance audits in terms of scope and content, their legal basis, prerequisites, and processes are different. Therefore, compliance audits cannot replace self-assessment/impact assessment, and vice versa.

5. Outlook

The release of the Draft Measures undoubtedly further increases the compliance costs for enterprises, especially those not involved in the cross-border transfer of personal information. Enterprises should treat this issue cautiously under the strict framework of the PIPL. Failure to comply with relevant compliance requirements may result in warnings, rectifications, and other administrative penalties. In extreme cases, enterprises may face fines of up to one million yuan, and the responsible executives and other individuals directly responsible may face fines of up to one hundred thousand yuan.