On 12 February 2025, the Cyberspace Administration of China (CAC) issued the Measures for the Administration of Personal Information Compliance Audit (“Audit Measures“), which will take effect from 1 May 2025. The draft of the Audit Measures was first released for solicitation of public comments on 3 August 2023, and it took a year and a half for CAC to finalize the Audit Measures. In the final version of the Audit Measures, there are a few notable changes compared with the draft version, which reflect the evolving and more relaxed data protection regulatory stance of the CAC.
The Audit Measures are detailed rules for the implementation of the general requirements for personal information protection compliance audits stipulated under the Personal Information Protection Law of the PRC (PIPL) and the Regulations on the Administration of Network Data Security (“Network Data Security Regulations“, which took effect from 1 January 2025). Under the PIPL, each personal information processor (PIP, which is akin to a “data controller” under the data privacy laws in the EU and some other jurisdictions) has a statutory obligation to conduct a personal information compliance audit (“Audit“) periodically (Article 54 of the PIPL), and where any considerable risk is found in the personal information activity of a PIP or any personal information security incident is found with a PIP, the relevant data protection authority in China such as CAC (“Data Protection Authority“) may require such PIP to engage a professional institution to conduct an Audit (Article 64 of the PIPL). Article 27 of the Network Data Security Regulations requires each network data processor (a concept that can be considered almost equivalent to PIP, where only personal information but not other data is concerned) to conduct an Audit periodically either by itself or by engaging a professional institution to do the same.
The PIPL, the Network Data Security Regulations and other laws and regulations have imposed quite a large number of data protection obligations on PIPs. Obviously CAC does not and will never have sufficient resources and bandwidth to supervise all PIPs’ personal information processing activities. By establishing and rolling out the Audit requirements, CAC will be able to leverage social resources (whether PIPs themselves or the professional institutions engaged by them) to exert more effective mandate on PIPs for ongoing compliance of personal information processing activities with applicable laws and regulations.
Click here to read the full alert containing a few highlights of the Audit Measures.
