China's Personal Information Protection Compliance Audit: Nature And Strategy

On February 12, 2025, the Cyberspace Administration of China (CAC) issued the Rules on Compliance Audit for Personal Information Protection (PIPCA Rules) to implement the compliance audit requirements under the Personal Information Protection Law (PIPL) and the Regulation on Network Data Security Administration (Network Data Regulation). The PIPCA will come into effect on May 1, 2025.

Following the release of the PIPCA Rules, on March 3, 2025, the Secretariat of the National Cybersecurity Standardization Technical Committee published the Guideline for Cybersecurity Standards Practice - Requirements for Professional Institution's Service Capabilities in Personal Information Protection Compliance Audits (draft for comments), (Requirements for PIPCA Professional Competencies). The deadline for public comments is March 17, 2025.

In addition to clarifying several key issues, such as:

1. Data processors handling personal information of more than one million individuals must appoint a person responsible for personal information protection, who will also oversee personal information compliance auditing.
2. Data processors dealing with complex personal information processing (e.g., platform companies) should set up an independent internal organization, primarily composed of external members, to supervise compliance audits.

The PIPCA Rules also outline the scenarios where the PIPCA should be applied and the requirements for its implementation. Meanwhile, the draft Requirements for PIPCA Professional Competencies defines the necessary qualifications, including management, technical, and personnel skills, for organizations interested in providing PIPCA services.

This article offers our insights on how data processors should approach and manage PIPCA compliance based on the PIPCA Rules.

What is the PIPCA?

Article 2 of the PIPCA Rules defines PIPCA as a supervisory activity to review and evaluate whether personal information processing by data processors complies with laws and regulations. This means that PIPCA is essentially a legal assessment and is primarily a compliance audit based on the laws and regulations.

The PIPL and the Network Data Regulation, which serve as the legislative foundation for the PIPCA Rules, require data processors to regularly conduct compliance audits on their personal information processing activities. Specifically, Article 54 of the PIPL and Article 27 of the Network Data Regulation mandate that data processors regularly audit their handling of personal information, either independently or through a professional institution.

At first glance, this may suggest that PIPCA is a routine compliance task that data processors should manage independently as part of their ongoing efforts to protect personal information. However, a closer examination of other provisions in the PIPL and Network Data Regulation reveals a more nuanced picture:

• Article 64 of the PIPL stipulates that if a regulatory agency discovers significant risks in personal information processing or identifies a security incident, it may require the data processor to conduct a compliance inquiry or engage a professional institution for a compliance audit.
• Article 52 of the Network Data Regulation emphasizes that when conducting data security inspections, authorities should collaborate, reasonably determine inspection frequency, and avoid redundant or overlapping inspections. Coverage of the PIPCA should not overlap with that of other assessments, such as risk assessments or outbound transfer security assessments.

Moreover, Articles 4 and 5 of the PIPCA Rules further specify when the PIPCA should be triggered:

1. A data processor handling personal information of more than 10 million individuals must conduct a PIPCA at least once every two years.
2. The CAC or other authorities may require a data processor to conduct a PIPCA under the following circumstances:
3. 1. When personal information processing activities present greater risks (e.g., significant impact on individual rights, lack of key security measures).
   2. When processing activities could harm the rights of a large number of individuals.
   3. After a personal information security incident involving more than one million individuals' personal data or 100,000 individuals' sensitive information.

However, for the same incident or risk, different regulatory authorities should not require multiple PIPCA audits.

Analysis of PIPCA Applicability

Based on the above provisions, it seems that:

1. PIPCA may only be a mandatory requirement for data processors who handle personal information of more than 10 million individuals or those identified above in the PIPCA Rules as presenting higher risks in their data processing activities.
2. For mandatory PIPCA scenarios, data processors must complete the audit within the specified time, submit the audit report to the CAC, address the identified issues, and report back upon completion.
3. Data processors not subject to the mandatory requirement for PIPCA may have more discretion in deciding whether, when, or how to conduct a PIPCA.

Therefore, PIPCA is primarily a regulatory tool used by authorities to monitor high-risk data processors or those with significant compliance concerns, rather than a routine legal obligation for all data processors.

Why the Emphasis on Administrative and Technical Competencies?

The draft "Requirements for PIPCA Professional Competencies" focuses on administrative and technical competencies because the professional institutions assisting with PIPCA are expected to help gather technical facts necessary for legal judgment. The CAC itself, as the regulatory authority, does not need legal services from third-party providers; instead, it only needs technical assistance to support its regulatory processes.

Notwithstanding the above, it also means that data processors must ensure both legal and technical compliance in preparing for or conducting PIPCA.

Strategies to Adress PIPCA by Data Processors

Scenario 1: Anticipating the PIPCA

For data processors handling personal information of over 10 million people (Scenario 1), the PIPCA requirement can be anticipated and planned for. By implementing a solid data mapping and tracking strategy, a data processor can easily manage the process, whether handled internally or outsourced. Since there is no statutory follow-up requirement, self- managing the PIPCA every two years is a reasonable approach. However, it is advisable to maintain records of audit reports and any voluntary rectification or corrective measures in case of future regulatory inquiries.

Although the PIPCA can be self-managed, it may be beneficial to involve outside legal and technical experts to ensure that the audit remains independent and effective.

Scenario 2: Dealing with Unpredictable PIPCA Triggers

In Scenario 2, PIPCA is triggered upon occurrence of certain incidents the satisfaction of which will be at the discretion of the regulatory authority. In this case, the audit must be conducted by a certified technical institution, and the results must be submitted to the authorities for review. Data processors must then take corrective actions and report the results. To avoid this, data processors should maintain full compliance with all major requirements under the relevant personal information processing regulations, proactively monitoring for potential risks. If unsure about their compliance status, data processors should consider conducting a baseline PIPCA with independent legal and technical advisors.

PIPCA in Other Scenarios

For data processors that do not meet the criteria for the above scenarios, the general requirement for compliance audits may be less urgent. However, conducting a voluntary PIPCA audit could be beneficial in certain situations, such as after a merger, acquisition, or significant changes to business practices or personal information processing schemes. In these cases, a PIPCA audit will help ensure understanding the compliance status and planning for ongoing compliance with legal and technical standards.

PIPCA Team Selection

For a successful PIPCA, selecting the right team is critical. In Scenario 1, even if the audit is self-managed, data processors may want to consider involving an experienced external team of both legal and technical experts. This can help ensure that the audit remains independent, comprehensive, and thorough. External professionals bring a fresh perspective to the evaluation of personal information processing practices and can identify potential issues that the internal team might overlook. A diverse team can also ensure that both the legal and technical aspects of the audit are adequately addressed.

The above summarizes our high-level understanding of the PIPCA, based on our experience and interpretation of the law. We hope it proves helpful. If our approach aligns with your business needs and you'd like to learn more about us, please feel free to contact us for a free preliminary consultation. As a leading legal data compliance team based in Shanghai, we provide highly effective, customer-friendly, practical, and time-saving cybersecurity and data compliance solutions. These can be offered from a purely legal perspective or, for enhanced results, through a combined approach that integrates both legal and technical expertise by collaborating with our trusted technical partners.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.