On 3 August, the Cyberspace Administration of China (“CAC”) publicly invited opinions on the Measures for the Management of Compliance Audits on Personal Information Protection (“Measures”), which clarified the definition of compliance audit of personal information protection, the applicable objects, the timeframe requirements, as well as the requirements for the authority and obligations of the professional agencies, etc., and proposed in the annexure the “Key Points for the Personal Information Protection Compliance” (“Key Points”) to adequately guide and standardize personal information protection compliance auditing activities.
China’s Personal Information Protection Law puts forward requirements for independent audits and mandatory external audits of personal information processors, including Article 54, which stipulates that “a personal information processor shall conduct compliance audits of its handling of personal information in compliance with laws and administrative regulations regularly”; and Article 64, which stipulates that the administration department that fulfills the duties of personal information protection finds that there is a greater risk in personal information processing activities or a personal information security incident occurs, it can require the personal information processor to commission a professional agency to conduct a compliance audit of its personal information processing activities. In addition, the Regulations on the Administration of Network Data Security (Draft for Public Comments) also make corresponding provisions for compliance auditing of personal information protection. This system design not only helps regulators to pay continuous attention to the legality of an organization’s personal information processing activities but also facilitates personal information processors to actively respond to regulation and effectively improve their personal information protection capabilities.
The release of the Measures has refined and improved China’s personal information protection compliance auditing system and provided a clear implementation path for related work. This article focuses on analyzing the main contents of the Measures and Key Points:
1. Highlights of the Measures
1） Audit subjects and frequency requirements
The Measures state that personal information processors that handle the personal information of more than 1 million people shall conduct personal information protection compliance audits at least once a year; other personal information processors shall conduct personal information protection compliance audits at least once every two years.
When the supervisory authority finds that there is a high risk of personal information processing activities or a personal information security incident occurs, the personal information processor should select a professional agency to conduct a personal information protection compliance audit as soon as possible.
2） Audit agency and time frame requirements
The Measures point out that personal information processors carry out personal information protection compliance audits on their own, and may, according to the actual situation, be audited by the organization’s internal agencies or entrusted to a professional institution following the requirements of the Measures; Personal information processors that carry out personal information protection compliance audits by the requirements of the administration department shall, as soon as possible after the receipt of the notification and by the requirements of the selected professional institution to conduct the personal information protection compliance audit, and the mandatory external audit shall be completed within 90 working days; in case of complexity, it may be appropriately extended upon approval by the administration department.
3） Clarifying the competence and obligations of professional agencies
The Measures not only clarify the authority that can be exercised by professional agencies in the case of mandatory external auditing but also specify the requirements for the independence and objectivity of professional agencies, the directory system for the recommendation of professional agencies, as well as the requirements that no more than three audits shall be carried out on the same subject and that no subcontracting shall be entrusted.
In addition, the Measures require that the information obtained be subject to the duty of confidentiality, that there be no malicious interference with the normal business activities of the personal information processor, and that there be no irregularities such as the issuance of false or inaccurate reports. Professional agencies should be able to exercise the necessary authority to carry out compliance audits, such as accessing documents and information, investigating system activities, inspecting equipment and facilities, retrieving personal information, and interviewing relevant personnel.
2. Highlights of the Key Points
The Key Points of Personal Information Protection Compliance (“Key Points”), based on the requirements of the Personal Protection Law, has absorbed a great deal of the specific provisions of relevant laws and regulations and national standards, such as the Specification for the Security of Personal Information (GB/T 35273-2020) , Measures for the Assessment of the Security of Data Exit , the Implementation Guidelines for Notification and Consent in Personal Information Processing (GB/T 42574-2023).
The Key Points clarify the key issues to be examined in the audit activities from the four dimensions, including personal information processing activities, response to the rights of the subject of personal information, obligations of personal information processors, and obligations of operators of large-scale Internet platforms, specifically:
1） Rules for handling personal information
Based on the Personal Information Protection Law, the Key Points further propose to specify the personal information collected, the purpose, manner, and scope of its handling in the form of a list.
At the same time, in response to the current practice of broad and vague notification of the retention period of personal information, the Key Points clarify the content of the notification of the retention period, including not only the specific time of the retention period but also the method of determining the retention period and the manner of handling the information after the expiration date.
2) Notice-Consent Rule
The Key Points combine the requirements of the Guidelines for the Implementation of Notification and Consent in Personal Information Processing (GB/T 42574-2023) to refine the notification-consent rules, such as clarifying the format of the notification text, the way of notification online and offline, and requiring the recording of the operation of the individual’s consent.
3） Co-processing / Commissioning / Providing to third parties
The processing of personal information by third parties includes joint processing, entrusted processing, and provision of personal information to third parties including co-processing, commissioning, and providing to third parties. Depending on the scenario, the Key Points clarify the obligations to be fulfilled by personal information processors at different stages. In general, the Key Points require personal information processors to conduct due diligence before cooperating with a third party in the processing of personal information. After determining the mode of cooperation, they should sign corresponding contracts based on different scenarios, agreeing on the rights and obligations of each party, the purpose, mode, scope, and allocation of responsibilities for the processing of personal information. During the performance of the contract, it is necessary to supervise and manage the personal information processing activities of the third party and other related contractual performance.
4） Automated decision making
The Key Points consolidates algorithm compliance points based on algorithm-related rules and regulations such as the Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services and the Provisions on the Security Assessment for Internet Information Services with Characteristics of Public Opinions or Capable of Social Mobilization, which mainly include prior assessment, filing and ethical review; parameter model protection and label management; and provision of safeguard mechanisms to users.
5） Disclosure of Personal Information & Handling of Disclosed Personal Information
The Key Points further restrict the processing of disclosed personal information by requiring that it must be processed within reasonable limits and that processing activities must not be unrelated to the purpose of the disclosure. This also reflects the principles of justification, necessity, and restriction of the handling of personal information.
Meanwhile, in response to the chaotic phenomenon of using personal information for cyber violence, the Key Points echo the Provisions on the Management of Information on Cyber Violence (Draft for Public Comments), also emphasizing that publicly available personal information shall not be used to engage in cyber violence activities.
6） Handling of Sensitive Personal Information & Handling of Personal Information of Minors Under 14 Years of Age
The Key Points emphasize that the processing of sensitive personal information must have a specific purpose and be sufficiently necessary. At the same time, it requires that the processing of sensitive personal information be documented, drawing on the requirements of the EU’s General Data Protection Regulation (GDPR) for the documentation of data processing activities.
7） Data outbound
At present, with the introduction of the Measures for Data Export Security Assessment, the Measures for Standard Contracts for Personal Information Departure, and the corresponding declaration guidelines, the compliance path for data departure is becoming clearer. The Key Points, in conjunction with the above-mentioned laws and regulations, clarify that the focus of data export audits should be on the selection of compliance paths, the legality of export, the overseas policy and legal environment, and the supervision of overseas recipients.
8） Personal Information Rights Response
In terms of the response to the right to personal information, the Key Points emphasize the right to erasure and the right to explanations, taking into account the current situation of industry practice. At the same time, the Key Points also reiterates the convenience and timeliness of the rights response mechanism.
9） Obligations of personal information processors
Focusing on personal information protection management systems, policy construction and organizational structure, and the establishment of positions and responsibilities, the Key Points put forward detailed and clear requirements based on the Personal Information Protection Law, and promote enterprises to further improve their internal security governance systems.
10） Obligations of operators of large Internet platforms
Due to the huge number of users and complexity of business types of large Internet platform operators, the Key Points have refined the requirements of the Personal Information Protection Law and clarified the obligations to be undertaken by large Internet platforms, which is conducive to promoting their further implementation and solidifying the main responsibility of the platforms.
At present, personal information protection compliance auditing has become an internationally accepted practice. The release of the Measures is an important guideline for the implementation of China’s personal information protection laws and regulations and the enhancement of the organization’s information protection capabilities, and personal information processors need to pay close attention to the introduction of personal information protection laws and regulations and the implementation of the policies, adjust and improve the strategies related to personal information protection, and carry out their personal information processing activities by the law and regulations.