China: Compliance audit of personal data protection
In many aspects, the Personal Information Protection Law (PIPL), which became effective on November 1, 2021, looks very similar to the EU's General Data Protection Regulations (GDPR). However, many of these similarities remain as high-level principles under the PIPL, while more detailed content has been rolled out step by step. Earlier this year, the Cyberspace Administration of China (CAC), established export security assessment procedures and Standard Contractual Clauses (SCCs) for data exports. Now, the CAC is shifting its focus to compliance audits. On August 3, 2023, the CAC presented the draft Administrative Measures for Compliance Audit of Personal Information Protection (Draft Audit Measures) soliciting public comments. For Data Protection Officers (DPOs) and compliance officers, this topic will become another important task to include in their planning for implementation in 2024.
In this Insight article, Julian Sun, from Taylor Wessing, delves into the key provisions of the Draft Audit Measures and sheds light on the evolving compliance audit framework, highlighting its importance, nuances, and potential impacts for companies operating in China.
What are compliance audits?
The statutory requirements for compliance audits were first stipulated in Articles 54 and 64 of the PIPL, which cover two types of audits. One is the internal regular audit conducted by a personal information (PI) handler (a term in Chinese that reads the same as processor under the GDPR, but is actually the Chinese equivalent of a controller under the GDPR). The other type is the compulsory audit initiated by regulators and conducted by a qualified third-party agency, commonly referred to as an external audit. The Draft Audit Measures follow these two categories and provide more details.
The regular audit may be conducted by a PI handler itself or delegated to a qualified third-party auditor. However, the latter becomes mandatory in two scenarios:
- the CAC identifies 'high risks' in a PI handler's PI processing activities, or
- if a data breach occurs.
The external audit is supposed to be completed within 90 days, but is not the end of the process. The PI handler in question shall take corrective action as requested by the CAC, with the implementation of such action subject to review by the CAC. The two triggering events mentioned earlier are quite general and vague. It remains unclear what precisely constitutes 'high risks' and how to address a small data breach that has not yet been detected by regulators. This is not surprising, however, as it is part of many other remaining ambiguities and uncertainties in the PRC's data protection legal framework. These ambiguities will be subject to discretionary interpretation by regulators during the implementation of the external audit mechanism.
It also remains to be seen which agencies will be qualified and the criteria for their qualification to help companies in conducting an external audit.
For most companies, particularly those serving corporate clients where PI is not their primary focus (while not overlooking the implications of 'important data'), the Draft Audit Measures make internal self-audits the most relevant option. As a general rule, an internal self-audit is supposed to be conducted every two years. This means that every company that qualifies as a PI handler under the PIPL, regardless of whether it is incorporated in China or outside of China, will be required to conduct a self-audit. A more frequent audit schedule, i.e., an annual audit, only applies when processing PI for more than one million data subjects.
Regarding how to conduct an audit, including a self-audit, the Draft Audit Measures provide an annex that outlines the following main areas to be covered in an audit. This is a fairly comprehensive coverage, generally reiterating almost every single obligation that a PI handler shall observe under the PIPL:
- legitimacy of the basis and the rules for processing PI;
- proper disclosure of the processing rules;
- fulfillment of the preconditions for processing sensitive PI;
- fulfillment of the preconditions for data sharing/transfer;
- fulfillment of data export clearance requirements;
- compliance with the rules for automated decision-making;
- processing of disclosed PI;
- joint processing and entrusted processing;
- protection of data subject's rights;
- sufficiency of internal organizational setup and measures for data security; and
- additional requirements for operators of large-scale online platforms.
Among the aforementioned areas, some are more relevant to multinational companies that frequently transfer PI across borders. For example, for those transferring PI outside of China, specific attention should be given to the following:
- complying with the requirements for security assessment or the execution and filing of SCCs depending on the type and quantity of concerned data;
- understanding the impact of the legal and cyber environment of the data recipient's jurisdiction on the exported PI;
- obtaining PRC regulators' prior approval before sharing data with foreign judicial and law enforcement authorities;
- avoiding the provision of data to any entity or individual on a negative list; and
- complying with applicable international treaties or agreements.
At the same time, a domestic data exporter's management of its overseas data recipients should also be examined in detail, including, but not limited to:
- sufficient knowledge of the overseas data recipient, including its ability to protect the exported PI;
- notification of PRC legal requirements for PI protection;
- requesting and supervising the overseas data recipient to undertake PI protection obligations, such as through agreements or audits.
Similar to the GDPR, the Draft Audit Measures now require all covered companies to perform regular internal audits to check the level of compliance with the PIPL. This is very important to stay compliant with the PIPL, as these audits will help you in the event of a data breach or complaint. Being able to provide robust audit documentation can work in your favor with regulators, potentially leading to reduced penalties in the event of a data breach case or a whistleblowing of non-compliance.
That said, the impact of a PIPL audit should not be underestimated. Though many of the requirements addressed in the Draft Audit Measures might appear fairly routine under the PIPL, meeting these requirements will already constitute a full PIPL compliance exercise, which could become quite time-consuming and require dedicated resources and effort. A particularly important aspect is the organizational setup and resources at the China level, which, based on our observations, often lags behind other topics that are driven by media headlines rather than good risk mapping with sensible priorities.
Therefore, regardless of the remaining uncertainties and questions, adopting a 'wait and see' approach is no longer an option as it was in previous months. DPOs and compliance officers are advised to have a more in-depth look at their existing compliance initiatives for China and within China, to better manage the implications outlined in the Draft Audit Measures.