China Issues Significant New Draft Rules Relating to Personal Information Protection Compliance Audits

Summary

---

|

• The Draft measures are  formulated by the CAC to form detailed guidelines for the implementation of Articles 54 and 64 of the PIPL; they categorize compliance audits into regular and mandatory audits.
• PI processors may mandate an internal institution or entrust an external specialized agency to conduct regular audits, while the mandatory audit must be carried out by an external specialized agency.
• PI processors are required to provide cooperation and assistance to ensure that the audit agency has the necessary authority to carry out the audit.
• PI processors should prepare in advance for their upcoming compliance audit, including preparing an internal compliance audit plan, self-examining their internal management system and operating procedures, and ensuring preservation of evidentiary materials.

On August 3, 2023, the Cyberspace Administration of China (the "CAC") issued a notice soliciting public comments on the Measures for the Administration of Compliance Audits of the Protection of Personal Information (Draft for Comments) (个人信息保护合规审计管理办法（征求意见稿）), the "Draft"), and its annex Reference Points for Compliance Audit of Personal Information Protection (个人信息保护合规审计参考要点), the "Reference Points"). The Draft sets out guiding rules for conducting  personal information ("PI") protection compliance audits, and is very significant for PI processors in China who wish to strengthen their compliance.

I .     Overview of the Draft