The Cyberspace Administration of China (CAC) has introduced a draft regulation, mandating the implementation of regular compliance audits for all companies involved in handling personal data, as reported by South China Morning Post on August 3. According to these rules, companies offering infrastructure information or services that possess data from more than 1 million users will be required to conduct at least one compliance audit annually. Conversely, companies with less than 1 million users will need to undergo audits every two years. Additionally, for services engaged in the cross-border transfer of their data, the audit will encompass verifying whether personal information is shared with foreign judicial or law enforcement bodies and whether such transfer are endorsed by Chinese authorities.
Over the past few years, China has progressively tightened its control over data and information, particular concerning data that crosses international borders. These newly proposed rules expand upon the existing legal frameworks, including the Personal Information Protection Law and Data Security Law that became effective in November 2021, along with the Measures for Security Assessment of Cross-border Data Transfer that were implemented last September. The CAC clarified that these forthcoming rules aim to “provide guidance and regulate compliance audits” to safeguard personal data. According to Caixin, it is anticipated that there will be hundreds of thousands of companies possessing personal data from over 1 million users, making compliance audits a significant undertaking. Under the new guideline, these companies will have the option to enlist auditing agencies designated by the CAC to perform their audits.