2023年10月24日
In many aspects, the Personal Information Protection Law (PIPL), which became effective on November 1, 2021, looks very similar to the EU's General Data Protection Regulations (GDPR). However, many of these similarities remain as high-level principles under the PIPL, while more detailed content has been rolled out step by step.
Earlier this year, the Cyberspace Administration of China (CAC), established export security assessment procedures and Standard Contractual Clauses (SCCs) for data exports. Now, the CAC is shifting its focus to compliance audits. On August 3, 2023, the CAC presented the draft Administrative Measures for Compliance Audit of Personal Information Protection (Draft Audit Measures) soliciting public comments. For Data Protection Officers (DPOs) and compliance officers, this topic will become another important task to include in their planning for implementation in 2024.
In this Insight article, our experts delve into the key provisions of the Draft Audit Measures and sheds light on the evolving compliance audit framework, highlighting its importance, nuances, and potential impacts for companies operating in China.
The statutory requirements for compliance audits were first stipulated in Articles 54 and 64 of the PIPL, which cover two types of audits. One is the internal regular audit conducted by a personal information (PI) handler (a term in Chinese that reads the same as processor under the GDPR, but is actually the Chinese equivalent of a controller under the GDPR). The other type is the compulsory audit initiated by regulators and conducted by a qualified third-party agency, commonly referred to as an external audit. The Draft Audit Measures follow these two categories and provide more details.
The regular audit may be conducted by a PI handler itself or delegated to a qualified third-party auditor. However, the latter becomes mandatory in two scenarios:
The external audit is supposed to be completed within 90 days, but is not the end of the process. The PI handler in question shall take corrective action as requested by the CAC, with the implementation of such action subject to review by the CAC. The two triggering events mentioned earlier are quite general and vague. It remains unclear what precisely constitutes 'high risks' and how to address a small data breach that has not yet been detected by regulators. This is not surprising, however, as it is part of many other remaining ambiguities and uncertainties in the PRC's data protection legal framework. These ambiguities will be subject to discretionary interpretation by regulators during the implementation of the external audit mechanism.
It also remains to be seen which agencies will be qualified and the criteria for their qualification to help companies in conducting an external audit.
For most companies, particularly those serving corporate clients where PI is not their primary focus (while not overlooking the implications of 'important data'), the Draft Audit Measures make internal self-audits the most relevant option. As a general rule, an internal self-audit is supposed to be conducted every two years. This means that every company that qualifies as a PI handler under the PIPL, regardless of whether it is incorporated in China or outside of China, will be required to conduct a self-audit. A more frequent audit schedule, i.e., an annual audit, only applies when processing PI for more than one million data subjects.
Regarding how to conduct an audit, including a self-audit, the Draft Audit Measures provide an annex that outlines the following main areas to be covered in an audit. This is a fairly comprehensive coverage, generally reiterating almost every single obligation that a PI handler shall observe under the PIPL:
Among the aforementioned areas, some are more relevant to multinational companies that frequently transfer PI across borders. For example, for those transferring PI outside of China, specific attention should be given to the following:
At the same time, a domestic data exporter's management of its overseas data recipients should also be examined in detail, including, but not limited to:
Similar to the GDPR, the Draft Audit Measures now require all covered companies to perform regular internal audits to check the level of compliance with the PIPL. This is very important to stay compliant with the PIPL, as these audits will help you in the event of a data breach or complaint. Being able to provide robust audit documentation can work in your favor with regulators, potentially leading to reduced penalties in the event of a data breach case or a whistleblowing of non-compliance.
That said, the impact of a PIPL audit should not be underestimated. Though many of the requirements addressed in the Draft Audit Measures might appear fairly routine under the PIPL, meeting these requirements will already constitute a full PIPL compliance exercise, which could become quite time-consuming and require dedicated resources and effort. A particularly important aspect is the organizational setup and resources at the China level, which, based on our observations, often lags behind other topics that are driven by media headlines rather than good risk mapping with sensible priorities.
Therefore, regardless of the remaining uncertainties and questions, adopting a 'wait and see' approach is no longer an option as it was in previous months. DPOs and compliance officers are advised to have a more in-depth look at their existing compliance initiatives for China and within China, to better manage the implications outlined in the Draft Audit Measures.
The regulation of e-commerce in China is an area of growing complexity.
作者 Dr. Michael Tan 以及 Julian Sun