Comments on the PI Protection Compliance Audit Measures

On August 3, 2023, the Cyberspace Administration of China (" CAC ") issued the draft Administrative Measures for Personal Information Protection Compliance Audit and the accompanying "Personal Information Protection Compliance Audit Reference Points" ("Audit Reference Points", collectively referred to as "PI Audit Measures") for seeking public comments.

The PI Audit Measures sets forth detailed guidelines on Articles 54 and 64 of the "Personal Information Protection Law of the People's Republic of China" ( “PIPL" ) which takes effect on November 1,2021 and requires Personal Information processors to conduct audits of Personal Information(“PI”) processing activities on a regular basis and from time to time.

In this article, we will explain the key contents of the PI Audit Measures which shall get noticed by enterprises and provide corresponding solutions.

I.Key contents of the PI Audit Measures

1.Details of the PI Audit System

It is worth noting that, unlike the relevant legal requirements for the establishment of PI protection agencies and data export, the PI audit obligations stipulated in the PI Audit Measures are mandatory obligations and shall apply to all PI processors, with no exemptions or mitigations based on their specific PI processing act.

Based on Article 54 and 64 of the PIPL, the PI Audit Measures provides more details for the specific requirements of two types of audits: regular self-audits and irregular supervisory audits:

1.1Regular self PI audits

Specifically, PI Processors that have processed PI more than 1 million individuals shall conduct a PI audit at least once a year; other types of PI Processors shall conduct a PI audit at least once every two years.

1.2Irregular regulatory PI audits

If the cyberspace department, in the course of performing their duties and responsibilities, discovers that "there are high risks in PI processing activities" or "PI security incidents have occurred", it may require the PI processor to entrust a professional agency to conduct a compliance audit of its PI processing activities. Such risks or incidents may include the PI security risks reflected in the user complaints and reports, civil litigation, administrative penalties, public opinion risks and voluntary disclosure materials of the PI processors(such as self-assessment reports on data transfer security).

Different from regular self PI audits, the regulatory PI audits carried out at the request of the cyberspace department must be conducted by a professional institution entrusted by the PI processor and cannot be conducted by the PI Processor internally. The PI Audit Measure therefore stipulates a recommended list for audit institutions, encouraging PI processors to give preference to the professional institutions in the recommended list to carry out PI audits.

2.Specific Procedures and Obligations of All Parties for PI Audits

2.1Audit procedures

The PI Audit Measure do not stipulated too much regarding self PI audits, and enterprises should conduct their own audits according to the frequency specified in the PI Audit Measure.However, for regulatory audits, the specific procedures stipulated in the PI Audit Measure are as follows:

(a)Trigger: When the cyberspace department discovers that "there are high risks in PI processing activities" or "PI security incidents have occurred", it may request the enterprise to conduct a PI audit;

(b)Select and entrust a professional agency: After receiving the request from the cyberspace department, the enterprise should refer to the recommended list of professional agencies or select and entrust an external professional agency on its own to conduct the PI audit as soon as possible;

(c)Conduct a PI audit: The audit should be completed within 90 working days; if the situation is complicated, such duration may be extended appropriately with approval by the department performing PI protection duties and responsibilities;

(d)Submit a PI audit report: PI processors should submit the PI audit report issued by a professional institution to the department performing PI protection duties and responsibilities. The report should be signed by the person in charge of the PI audit and the person in charge of the professional institution and stamped with the official seal of the professional institution.

(e)Rectify and report the rectification results: PI processors should make rectifications according to the rectification suggestions given by professional institutions, and, after the review of the professional institutions, submit the rectification results to the department that performs PI protection duties and responsibilities.

2.2Obligations of all parties

PI processors have an obligation to cooperate with professional institutions and should ensure that the professional institutions can exercise their authority normally, including requiring provision or assistance in consulting relevant documents or materials; entering relevant premises of PI processing activities for investigation and observation, checking and testing the related equipment and facilities, interviewing the personnel, investigating, inquiring and taking evidence with respect to the relevant issues and soon.. It can be seen that entrusting a third party to conduct PI audits will inevitably have a certain impact on corporate business activities.

Similarly, the PI Audit Measure make detailed provisions on the code of conduct of professional institutions, including requirements such as no subcontracting, independence and objectivity, confidentiality obligations, no malicious interference with normal operations, and audit authenticity.

3.Reference Points for PI audits

PI Audit Measures listed the review matters that PI processors or professional institutions entrusted by them should consider when conducting PI audits in the appendix Audit Reference Points, summarizing the general audit requirements of PIPL and Information Security Technology Personal Information Security Specifications(GB /T 35273-2020 ):

(a)The lawful basis of processing activities, such as obligations to inform and obtain consent;

(b)Special processing scenarios: joint processing, entrusted processing, transfer, external provision, disclosure, automated decision-making, etc.;

(c)Rights of PI subjects: right to delete, methods of exercising rights, etc.;

(d)Internal PI protection system: such as internal management system and operating procedures for PI protection, person in charge of PI protection, PI protection impact assessment, security incident emergency plan and emergency response, etc.

In addition, the Audit Reference Points also incorporates the compliance requirements for cross-border PI processing in laws and regulations related to data export such as the Measures for the Security Assessment of Outbound Data Transfer and the measures for the Standard Contract for the outbound Transfer of Personal Information, the compliance requirements for the large-scale Internet platform operator, as well as legal regulations on online violence management, recommendation algorithms, etc.

This Audit Reference Points basically covers the entire process of PI processing and can be used as a reference when conducting PI audits. Due to its recommended and non-mandatory nature, we understand that enterprises and PI audit institutions may also make supplementary adjustments in addition to the matters listed in the Audit Reference Points in accordance with the provisions of other applicable laws and regulations and possible updates to laws and regulations.

4.Legal liability for violating the PI Audit Measures

Article 15 of the PI Audit Measures stipulates that PI processors who violate the provisions shall be punished in accordance with the PIPL and other laws and regulations Therefore, PI processors that fail to perform PI audit-related obligations may be subject to the penalties for violating PI protection obligations under the PIPL, including but not limited to fines of high amount and personal liability of senior executives.

II.Practical Concerns and Suggestions of Enterprises

1.Pay attention to legislative trends and properly perform PI audit obligations

We understand that, on the one hand, the PI audit system, especially the audits conducted by third-party professional institutions, will be included by the cyberspace departments in their "regulatory toolbox" in their daily law enforcement processes to identify and rectify the enterprise's unproper PI processing activities. On the other hand, a complete and objective PI audit report can also become a powerful material for enterprises to prove their compliance with PI processing to the cyberspace department. Therefore, we recommend that enterprises pay attention to the relevant provisions of the official issue of the PI Audit Measures and connect the PI audit system with the compliance requirements of other PI protection laws and regulations.

Since PI audits are bound to have a certain impact on the business activities of PI processors, we recommend that PI processors positively follow the frequency specified in the PI Audit Measures and the considerations specified in the Audit Reference Points in daily operations and perform self PI audits to detect and avoid PI security incidents which may trigger the regulatory PI audits as early as possible.

2.Pay attention to the overlap between PI audit systems and other information disclosure obligations

The audit materials, reports, etc. collected and compiled by an enterprise during its own PI audit can also be used as a proof that the enterprise has fulfilled its PI protection obligations during inquiries or investigations by the cyberspace department. The relevant content of the PI audit report can also be cross-referenced with other statutory disclosures made by the enterprise, such as the data export risk self-assessment report prepared when applying for data export security assessment, personal information protection impact assessment report, network product security vulnerability reporting, annual automobile data security management report, and even disclosure and inquiry responses during the listing process to ensure that the disclosure content is correct and save the cost of preparing relevant disclosure documents.

3.Establish an internal PI audit system as early as possible

In order to smoothly carry out PI audits, enterprises should establish relevant internal audit systems as early as possible, including (a) the frequency and process of PI audits; (b) PI audit matters and standards; (c) The docking process between the audit department(which can be IT, legal, and compliance departments) and other departments (human resources, business, etc.) to strengthen cross-department and cross-professional communication and cooperation within the enterprise; (d) Selection requirements for professional institutions and processes; (e) docking and communication mechanisms with regulatory authorities; and(f)rectification and control measures after audits, etc.

4.Special concerns for multinational enterprises

Throughout the world, many jurisdictions have introduced similar regulations on PI audits. EU's GDPR is the most influential one. It not only regulates data processing and protection, but also clarifies the specific requirements for data protection audits together with the EDPS Audit Guidelines. Similar to China's PI Audit Measures, EU companies can not only prove the legality and compliance of their PI processing acts through PI audits, but regulatory authorities can also require companies to conduct PI audits during investigations.

The UK's Information Commissioner's Office(ICO)has also released A Guide to ICO Audits. Unlike China and EU, UK’s PI audits are voluntary for companies but are conducted by ICO. In the United States, the California Privacy Rights Act requires companies that pose significant risks to consumer privacy or security in their PI processing activities to conduct an annual cybersecurity audit. The audit must be conducted every year and the company should make audit scope clear and ensure the thoroughness and independence of the audit through audit procedures.

In view of this, multinational enterprises, especially those with operations in jurisdictions with relatively complete data protection legislation such as the United States, Europe, and China, need to strengthen the communication between their headquarters and Chinese subsidiaries, pay special attention to the links and differences between the existing personal information or data audit system in each country and Chinese PI audit system established by the PI Audit Measures, get familiar with the different time schedule when the audit obligations are triggered in various jurisdictions, and clarify the overlap and differences in audit matters in various countries to ensure that the operations of the entire multinational enterprise headquarters and Chinese subsidiaries fully comply with applicable laws and regulations.

特别声明：

大成律师事务所严格遵守对客户的信息保护义务，本篇所涉客户项目内容均取自公开信息或取得客户同意。全文内容、观点仅供参考，不代表大成律师事务所任何立场，亦不应当被视为出具任何形式的法律意见或建议。如需转载或引用该文章的任何内容，请私信沟通授权事宜，并于转载时在文章开头处注明来源。未经授权，不得转载或使用该等文章中的任何内容。