The Measures outline requirements and procedures for self-initiated and regulator-mandated compliance audits from May 1, 2025.

By Hui Xu and Bianca H. Lee

The Cyberspace Administration of China’s (CAC’s) official release of the Measures for Personal Information Protection Compliance Audits (the Measures) marks the CAC’s commitment to implementing the compliance audit system under the PIPL, which has been in effect since November 1, 2021. There was no formal guidance on or implementation of this requirement prior to the publication of the Measures, aside from a draft version of the Measures. The Measures took effect on May 1, 2025 (an unofficial English translation can be found here). 

Compliance audits are mandatory for personal information processors (PI Processors) subject to PIPL, as stipulated in Articles 54 and 64 of the PIPL and Article 27 of the Regulations on Network Data Security Management (Network Data Regulations).

Key Provisions

1. Definition of Compliance Audits

a) Personal information (PI) protection compliance audits refer an overall assessment of whether a PI Processor’s activities comply with legal and regulatory requirements.

b) These compliance audits are distinct from routine compliance checks, which typically target specific compliance gaps as they are designed to holistically assess the effectiveness of the routine compliance activities and provide a comprehensive review of the PI Processor’s compliance with the PIPL.

2. Two Types of Compliance Audits

The Measures outline two types of compliance audits: (i) self-initiated audits; and (ii) regulator-mandated audits.

Self-initiated Audits

a) For self-initiated audits, PI Processors can either conduct these audits internally using their own resources and personnel or engage a third-party professional agency (Article 3 of the Measures). 

b) PI Processors handling PI of more than 10 million individualsmust conduct at least one audit every two years (Article 4 of the Measures). PI Processors handling PI of less than 10 million individuals are required to conduct audits “regularly” (Article 54 of the PIPL and Article 27 of the Network Data Regulations). Since no specific frequency is mandated, PI Processors must determine the appropriate audit frequency based on their own specific circumstances. Conducting a compliance audit every three to five years is likely considered reasonable. When deciding the audit frequency, PI Processors should also consider other legal requirements. For example, according to Article 37 of the Regulations on the Protection of Minors in Cyberspace (2023), PI Processors must conduct or entrust a professional agency to perform an annual compliance audit of their processing of PI relating to minors and report the results to the CAC.

Regulator-mandated Audits

a) The CAC and/or PRC industry authorities may require a PI Processor to engage a third-party professional agency to conduct a compliance audit of its processing activities under any of the following circumstances (Article 5 of the Measures):

i) Significant risks to personal rights: If PI processing activities are deemed to raise significant risks that severely impact individuals’ rights or if inadequate security measures are identified.

ii) Potential infringement of rights: If PI processing activities have the potential to infringe upon the rights of a large number of individuals.

iii) Major data breach: In the event of a data breach resulting in the leakage, tampering, loss, or destruction of PI affecting more than one million individuals or sensitive PI affecting more than 100,000 individuals.

In the absence of any guidance as to what triggers the first two circumstances, the regulators will likely use discretion to determine whether such circumstances are present.

b) For the same PI data breach or risk, regulatory authorities are not allowed to repeatedly mandate that the PI Processor engage a professional agency for a compliance audit. This provision ensures that audits are not unnecessarily repeated for the same risk or incident of data breach (Article 5 of the Measures). However, the article does not preclude mandatory audits triggered by different risks or data breaches. Therefore, it is possible to have an audit triggered by a data breach in one year and another audit triggered by a different risk in the following year.

c) In regulator-mandated audits, PI Processors must:

i) Cooperate with and assist professional agencies in conducting audits and bear the associated costs (Article 8);

ii) Complete audits within specified timeframes, with possible extensions for complex cases (Article 9);

iii) Rectify issues as recommended by professional agencies (Article 9); and

iv) Submit audit and rectification reports to the relevant authorities (Article 10). The rectification report should be submitted within 15 business days after completion of the rectification (Article 11).

3. Requirements for Professional Agencies

a) The Measures do not require professional agencies to be designated or certified by authorities such as the CAC. However, professional agencies must possess the necessary capabilities to conduct audits, including having qualified personnel, suitable facilities, and adequate resources (Article 7).

b) They are prohibited from subcontracting audits to other institutions (Article 14) and cannot audit the same PI Processor more than three consecutive times (Article 15).

c) The CAC has not specified which professional agencies will be deemed qualified to conduct compliance audits for PI Processors.

d) If PI Processor is required by authorities to conduct a regulator-mandated audit, they must engage a professional agency selected by the authority (Article 9).

e) It is noteworthy that previously, for professional agencies conducting PI cross-border transfer certifications under the PIPL, the CAC issued regulations after the PIPL came into effect, requiring those agencies to obtain certification. Therefore, it is possible that the CAC may later issue certification requirements for PI audit professional agencies, although there are none at present.

4. Key Audit Focus Areas

The Guidelines for Personal Information Protection Compliance Audits (appended to the Measures) outline the key areas that should be covered in a compliance audit, including but not limited to legal bases for PI processing, entrusted processing of PI (i.e., where a PI Processor delegates processing of PI to a service provider), cross-border transfer and third-party sharing of PI, automated decision-making, processing of sensitive PI, data subject rights, PI Processors’ other obligations under the PIPL, implementation of internal management and security measures, development of emergency response plans for data breaches (e.g., reviewing the plan’s comprehensiveness and effectiveness on handling data breaches), and the responsibilities of large platforms (e.g. assessing whether the platform rules conflict with laws and regulations, the effectiveness of the platform’s personal information protection rules and whether the latter are effectively implemented). These areas are consistent with PIPL provisions and other relevant regulations and standards, offering a comprehensive framework for audits.

Although the Measures do not provide specific procedures or requirements for conducting the compliance audits, the 2024 draft national standard, Data Security Technology – Personal Information Protection Compliance Audit Requirements (here), includes detailed standards on implementation procedures, evidence management, and requirements for auditors. Although not yet finalized, the draft standards offer practical insights on what likely would be expected.

5. Appointment of PI Protection Officer

PI Processors handling PI of more than one million individuals must appoint a PI protection officer to oversee audits (Article 12). Large internet platforms (i.e., platforms with a significant user base and complex business operations) must establish independent bodies to supervise audits (Article 12). The Measures do not explicitly specify whether an “independent body” refers to an internal or external body. However, based on the reference to “an independent body mainly composed of external members” in the Measures, it suggests that an “independent body” refers to an internal body that requires external members, similar to a board with independent directors.

6. Sanctions and Compliance

Non-compliance with the Measures can lead to significant legal consequences, including investigations, business suspension, penalties under the PIPL and Network Data Regulations, or criminal liability under the PRC Criminal Law (Article 18).

a) Violations of the PIPL may result in fines of up to RMB 50 million or 5% of the previous year’s annual turnover of the entity, whichever is higher. Individuals who are directly responsible may face fines of up to RMB 1 million and be prohibited from serving as directors, supervisors, senior management personnel, or PI supervisor of related entities for a certain period. PI audit is an obligation stipulated under the PIPL, so in theory violations of the PI auditing may also be subject to the penalties above. However, we still need to wait for practical cases to understand the specific penalties for such violations.

b) PI auditing is also stipulated in the Network Data Regulations, but the regulations do not specify legal liabilities for violations of the PI auditing requirement. Therefore, it remains to be seen what will be the penalties for violating the PI audit requirement under the Network Data Regulations.

Next Steps

As the Measures took effect on May 1, 2025, we recommend PI Processors develop a comprehensive compliance audit framework/policy for internal use covering the scope, frequency, and procedure of audits and to begin its audit process. PI Processors should also consider whether to conduct audits internally (which can be with the assistance of law firms) or to engage a third-party professional agency, though (as explained above), who may be qualified to act as such agencies remains unclear.

If you have any questions about this post or need assistance conducting compliance audits, please contact one of the authors.