On 3 August 2023, the Cyberspace Administration of China (CAC) circulated for public comment the Measures on the Administration of Personal Information Protection Compliance Audits (Draft to Solicit Comments), together with an appendix, the Reference Points for Personal Information Protection Compliance Audits. The draft provides businesses with additional guidance to ensure compliance with the Personal Information Protection Law 2021 (2021 PIPL) and fleshes out the compliance audit requirements under Articles 54 and 64 of the 2021 PIPL.
In the August edition of GC Agenda China (subscription required), Morrison Foerster partner Paul McKenzie commented on the Draft that, “The draft measures provide important guidance on implementation of two discrete provisions of the PIPL, Article 54, which is the general requirement that all personal information processors (or 'handlers', using PIPL parlance) regularly audit compliance, and Article 64, which empowers the relevant department in charge to require that an audit is undertaken following a security incident or because it views a particular processing activity as high-risk. Key takeaways include the required cadence for audits (biannual generally, annual for high-volume processors, and as-and-when imposed by the regulator), the requirement to involve a third-party auditor if the audit is being imposed by the regulator, and the fact the draft measures include an appendix that provides guidance on the required scope of audits. The final version of the measures is likely to be issued in quick order, with the deadline for comments already passed.”