China Finalises Measures for Personal Information Protection Compliance Audits: Key Legal Implications for Data Controllers

On 14 February 2025, the Cyberspace Administration of China (“CAC”) issued the long-awaited Administrative Measures for Personal Information Protection Compliance Audits (the “Measures”), set to take effect on 1 May 2025. These Measures, adopted pursuant to the Personal Information Protection Law (“PIPL”) and the Network Data Security Management Regulations (“Regulations”), establish a clearer procedural framework for conducting compliance audits of personal information handling activities in the PRC.

This article outlines the legal background and key provisions of the Measures, and highlights practical implications for corporate data controllers operating in or with links to Mainland China.

Legal Background

Articles 54 and 64 of the PIPL require data controllers (referred to as “personal information processors”) to carry out periodic personal information compliance audits, either independently or via professional institutions. Such audits may be required in two contexts:

• Regular Audits: Periodic audits undertaken voluntarily to assess ongoing compliance.

• Regulator-Mandated Audits: Audits required by the CAC or other regulators in cases of high-risk processing or following a data security incident.

While the PIPL and the Regulations established this high-level obligation, the Measures now provide operational clarity—introducing thresholds, procedures, and audit criteria for practical implementation.

Thresholds for Regular Audits

Under the Measures, Regular Audits are mandatory for data controllers processing personal information of more than 10 million individuals. These entities must complete an audit at least once every two years.

This represents a material relaxation from the August 2023 draft, which would have applied to entities processing 1 million individuals’ data and imposed an annual audit requirement.

Entities processing fewer than 10 million individuals’ data are not subject to a fixed audit interval. They must determine audit frequency based on:

• Volume and sensitivity of data;

• Nature of processing activities;

• Associated risks; and

• Sectoral regulatory requirements.

While these data controllers may self-conduct the audit, the Measures encourage engagement of third-party institutions where appropriate—particularly in high-risk sectors such as finance or when processing minors’ data.

Regulator-Mandated Audits

The CAC or other competent authorities may compel a PI Audit under the following circumstances:

• High-risk processing that threatens data subjects’ rights;

• Apparent deficiencies in technical or organisational protection measures;

• Large-scale infringement involving personal data; or

• Data breaches affecting over 1 million individuals, or 100,000 individuals’ sensitive personal data.

Notably:

• Only licensed third-party professional institutions may conduct such audits;

• No more than three consecutive audits may be conducted by the same institution for the same data controller;

• Duplicate audits for the same incident are prohibited.

This ensures proportionality in enforcement and mitigates audit fatigue.

Audit Content and Guidelines

An annexed audit guide titled “Guidelines for Personal Information Protection Compliance Audits” outlines 27 core audit categories. These include, among others:

• Legal basis for processing;

• Handling of sensitive personal information;

• Retention limits;

• Cross-border data transfers;

• Incident response protocols.

This annex serves as a de facto checklist for both self-assessments and external audits. Its publication introduces a more uniform standard for compliance assessment, aligned with CAC expectations.

Appointment of Data Protection Officers

The Measures specify that data controllers processing personal data of more than 1 million individuals must appoint a Data Protection Officer (DPO). The DPO is accountable for organising and overseeing PI Audits.

Additionally, entities operating significant internet platforms or conducting complex data processing must establish an independent audit oversight body, preferably comprising external personnel. This imposes more formalised compliance structures, akin to corporate governance standards in financial services or public companies.

Reporting and Rectification Obligations

Where a Regulator-Mandated Audit is required:

• The audit must be completed by a qualified third-party institution within the regulator’s specified timeframe;

• The audit report must be submitted to the regulator upon completion;

• The regulator may issue rectification directions;

• A written rectification report must be filed within 15 working days following completion of remedial measures.

Failure to comply with these timelines may result in administrative sanctions under the PIPL and related rules.

Uncertainties and Extraterritorial Application

One area of ambiguity remains: the scope of application to foreign data controllers.

While the PIPL clearly applies extraterritorially (e.g., to foreign entities processing data of PRC individuals), Article 2 of the Measures appears to restrict their application to audits conducted within the PRC. This raises questions about enforcement and compliance expectations for offshore controllers.

It remains to be seen whether further guidance will clarify:

• Whether foreign controllers must conduct audits in line with these Measures;

• Whether audits must be conducted within PRC territory; and

• How extraterritorial compliance may be assessed or enforced.

Until then, foreign data controllers subject to the PIPL’s extraterritorial scope would be prudent to adopt internal audit mechanisms that substantively align with the Measures and Guidelines.

Conclusion

The finalised Measures bring long-needed clarity to the compliance audit regime under China’s personal data protection laws. They provide greater certainty regarding thresholds, procedures, and responsibilities, while introducing compliance flexibility for smaller-scale processors.

Given the 1 May 2025 effective date, companies should now:

• Assess their processing volumes and determine audit obligations;

• Appoint a DPO if applicable;

• Prepare audit documentation and procedures;

• Review cross-border processing structures and risk exposures.

As regulatory enforcement of the PIPL intensifies, proactive audit readiness will be essential to maintaining compliance and mitigating legal risk in the PRC.