China Tightens Corporate Personal Data Audit Rules
On 14 Feb. 2025, China’s Cyberspace Administration released the “Measures for the Administration of Personal Information Protection Compliance Audits” (个人信息保护合规审计管理办法, hereinafter the “Measures”), which shall come into force on 1 May 2025. The Measures clarifies corporate obligations in compliance audits to strike a balance between data utilization and personal information protection.
In recent years, China has established a data protection framework through the “Personal Information Protection Law” (个人信息保护法) and the “Regulations on Network Data Security Management” (网络数据安全管理条例), which require companies to conduct regular compliance audits.
The Measures provides detailed implementation guidelines, specifying audit procedures, institutional qualifications, and rectification obligations to enhance the transparency and legality of personal data processing.
The highlights of the Measures are as follows.
- Companies that process the personal information of more than 10 million individuals shall conduct audits at least once every two years, while other companies can determine a reasonable frequency.
- If regulatory authorities identify major risks (e.g., data breaches or user rights violations), they may require the company to commission a third-party professional audit.
- The same professional institution or any of its affiliated institutions or the same person in charge of compliance audits shall not conduct personal information protection compliance audits for the same auditee for three or more times in a row.