China issues regulations on personal information protection compliance audits

On 14 February 2025, the Cyberspace Administration of China (CAC) officially released the Administrative Measures for Compliance Audits on Personal Information Protection (the Audit Measures), which will take effect on 1 May 2025.

These new regulations fill a legislative gap concerning the enforcement of personal information protection audits in China, marking a significant step in strengthening personal information protection compliance.

Here are the highlights:

1. Clarification of Requirements under Personal Information Protection Law

The Personal Information Protection Law (PIPL) establishes two types of compliance audits: self-audits and regulatory audits. Personal information handlers must conduct self-audits and, in cases of high-risk personal information processing activities or security incidents, undergo regulatory audits by external firms as mandated by the authorities. The Regulation on Network Data Security Management (Network Data Regulation) [1]also requires compliance audits for network data handlers to ensure adherence to laws and regulations.

Previously, organizations primarily evaluated their data processing activities through personal information protection impact assessments (PIPIA). While the PIPL had already introduced compliance audit obligations, the absence of detailed implementation rules created challenges in enforcement. The promulgation of the Audit Measures provides the much-needed clarity, offering standardized guidance for conducting personal information compliance audits in China.

2. Types of Audits

The Audit Measures set out two categories of audits, in line with the PIPL:

• Self-Audits: Personal information handlers, regardless of the volume or scale of personal information they handle, are required to conduct self-audits. These audits can be performed internally or outsourced to external firms.
• Regulatory Audits: The CAC and other relevant regulatory authorities (e.g. telecom regulators, public security departments and industry regulators) may mandate a regulatory audit when a personal information handler is deemed to pose a significant risk on personal information or has experienced a personal information security incident. Regulators will oversee the entire audit process, from selecting external audit firms, approving audit reports to implementing remediation actions.

3. Self-Audits

The Audit Measures provide flexibility for companies in conducting self-audits. If an organization has qualified internal auditors, it may perform in-house audits based on the principles of independence, objectivity, fairness, and confidentiality.

Self-audits may also be performed by external firms. Companies should verify that the external firms possess the necessary qualifications and competencies. On the other hand, audit firms must be granted sufficient access to conduct thorough investigations, including site visits, business activity reviews, information system assessments, equipment inspections, and interviews with relevant personnel. To maintain audit objectivity, the same audit provider (or its affiliates) cannot conduct more than three consecutive audits for the same organization.

Entrusted processors who are delegated by personal information handlers are not directly obligated to conduct compliance audits. The Audit Measures specify key review points for such delegated processing, prompting organizations to refine audit clauses in their current data processing agreements and strengthen their supervision on their entrusted processing activities.

4. Regulatory Audits

The triggers for regulatory audits include scenarios where data processing activities severely impact personal rights or lack adequate security measures, or when personal information processing may infringe upon the rights of numerous individuals. These triggers do not require actual harm or confirmed violations.

Additionally, personal information security incidents (such as exfiltration, tampering, loss or destruction of personal information) necessitate regulatory audits if they involve over one million individuals’ personal information or more than 100,000 individuals’ sensitive personal information.

It is worth noting that organizations may be required to report personal information security incidents to regulatory authorities in accordance with applicable laws. The PIPL does not impose a minimum threshold for reporting obligation. A draft regulation[2] issued by the CAC in 2023 on cybersecurity incident reporting suggests that a data breach involving over one million individuals’ personal information constitutes a “major cybersecurity incident,” requiring reporting within one hour.  

5. Audit Frequency

Personal information handlers handling over 10 million individuals’ personal information must conduct compliance audits at least once every two years. Organizations, particularly those in retail and consumer-facing sectors, may consider regular deletion or anonymization of personal information that is no longer necessary for business purposes to avoid triggering requirements on additional audit.

For personal information handlers handling fewer than 10 million individuals’ personal information, the Audit Measures require self-audits on a “regular” basis without specifying a mandatory frequency. Businesses are therefore suggested to monitor regulatory practices and enforcement trends to determine appropriate audit schedules.

Industry-specific regulations may impose further requirements. For instance, the Administrative Measures on Data Security for Banking and Insurance Institutions[3] require banking and insurance institutions to conduct comprehensive data security audits at least once every three years and additional audits following major security incidents.

6. Audit Scope

Compliance audits must assess whether personal information handlers have established and effectively implemented internal management systems and operational protocols in accordance with applicable laws and regulations. The Audit Measures contain an annex which outlines key audit focus areas aligned with the PIPL’s statutory obligations.

There is potential overlap between personal information compliance audits and existing PIPIA practices. Companies that have already conducted PIPIAs may leverage previous data mapping, compliance gap analyses, and remediation reports to streamline compliance audits, provided that the information remains current and complete.

The Network Data Regulation also calls for better integration of compliance audits with important data risk assessments and cross-border data security assessments to reduce redundant assessments and alleviate compliance burdens on businesses.

7. Audit Evidence and Methodologies

On 12 July 2024, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China (TC260) released a draft national standard, Data Security Technology – Requirements for Compliance Audits on Personal Information Protection[4]. This standard, designed as a supporting measure for the Audit Measures, details specific audit evidence and methodologies.

Organizations may refer to these standards for guidance on implementing compliance audits effectively. Likewise, businesses formulating personal information protection and cybersecurity compliance frameworks are suggested to align them with the Audit Measures and related national standards.

8. Independent Oversight Mechanisms

The Audit Measures require large-scale internet platform operators with extensive user bases and complex business models to establish independent oversight bodies composed primarily of external members to monitor compliance audit implementation. This aligns with the Network Data Regulation, which mandates the “large network platforms” to publish annual personal information protection responsibility reports, covering disclosures on the activities of independent oversight bodies.

9. Applicability to Overseas Entities

Although the PIPL has extraterritorial reach (i.e. requiring foreign companies processing personal information concerning natural persons in China to comply with its requirements under certain circumstances), the Audit Measures explicitly state that they apply only to audits conducted within China. This raises questions about how overseas entities subject to the PIPL’s jurisdiction can fulfill their compliance audit obligations. Future regulatory guidance is expected to clarify this issue.

[1] Regulation on Network Data Security Management (in Chinese: 网络数据安全管理条例 ), issued by the State Council and effective from 24 September 2024, the original texts of which can be found at https://www.gov.cn/zhengce/content/202409/content_6977766.htm.

[2] Administrative Measures for Network Security Incident Reporting (Draft for Public Comment) (in Chinese: 网络安全事件报告管理办法（征求意见稿） ), the original texts of which can be found at https://www.cac.gov.cn/2023-12/08/c_1703609634347501.htm.

[3] Administrative Measures on Data Security for Banking and Insurance Institutions (in Chinese: 银行保险机构数据安全管理办法), issued by National Financial Regulatory Administration and effective from 27 December 2024, the original texts of which can be found at https://www.gov.cn/zhengce/zhengceku/202412/content_6995081.htm.

[4] Data Security Technology – Requirements for Compliance Audits on Personal Information Protection  (in Chinese: 数据安全技术 个人信息保护合规审计要求), the original texts of which can be found at https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20240712162705&norm_id=20231220163619&recode_id=55772.