Any business in China with more than one million records of personal data, or those with just 10,000 records of sensitive personal data, are looking at new annual compliance audit requirements. The Cyberspace Administration of China has announced that these companies will face at least one of these audits per year.
Businesses with 100,000 records of personal data will be up for a compliance audit once every two years. While these requirements will apply to all organizations in the country, there seems to be a particular focus on personal information that may be making its way beyond national borders.
The compliance audit proposal is in a required public commentary period until September 2, and is slated to become law at the start of 2024.
Chinese government continues crackdown on personal data handling
The compliance audits are to ensure that companies are within the bounds of the Personal Information Protection Law (PIPL), passed in November 2021. The sprawling data privacy law established explicit consent requirements for data subjects, security requirements for protection of stored personal information, the appointment of data officers, and the right of data subjects to access and correct their information.
It also set data volume thresholds over which processors are required to store all personal data domestically, and required security assessments for those that pass personal data to entities outside of China. The law has some of the harshest penalties in the world for data privacy violations: up to 5% of annual income, plus confiscation of any “unlawful income” and possible suspension of business activities.
The law’s special category of sensitive personal data includes qualities or categories that could cause personal discrimination or material harm: things like race, ethnicity and religion, but also financial, health and location information as well as any biometric data. Storage and processing of just 10,000 records of this nature annually mean an annual compliance audit for companies in China.
The compliance audits will not be conducted directly by government inspectors, however. Companies must either arrange for an internal organization or an approved third-party agency to carry out the audit. The State Council and both national and local cybersecurity departments will be creating and providing a catalog of recommended agencies that companies are encouraged (but not required) to use.
The requirements for the compliance audit are thorough and complex; the law allots inspecting agencies up to 90 days to complete their work, but they may apply for an extension when the situation warrants it. In total there are 18 areas that the regulation designates for inspection, but some will not apply to all companies (such as handling of the personal data of minors and effectiveness of measures used to secure overseas data transfers).
As to auditing of cross-border personal data transfers, the number of records in play determines requirements for the compliance audit. If the company is over the volume threshold they may be required to either sign a CAC “Standard Contract” or to have a direct security inspection by the CAC. Requirements such as these begin at transfer of 100,000 records of personal information or 10,000 records of sensitive personal data.
Compliance audit follows multiple moves to limit international data transfers, bolster national cybersecurity
Keeping Chinese personal information off of foreign servers has become an increased focus of the government in recent years. In addition to the terms introduced by PIPL in 2021, an update to the country’s anti-espionage law was passed in April that swept a much broader amount of information into protected categories. It was the first such update to espionage laws since 2014. The rather loose wording gives the government broad power to define all sorts of documents and personal data as items that impact national security, down to market research on Chinese consumer demographics.
The new compliance audit requirements also follow a recent push to stop Chinese domestic companies from going public on foreign exchanges. Going public in New York or London is generally more lucrative, but the Chinese government wants to see this happen on the mainland or at least in Hong Kong. Companies are still technically able to list overseas, but if they have more than one million records of personal data they are subject to an extra security review conducted by the CAC. Alibaba was pressured to drop a US public listing, eventually announcing in 2022 that it would list in Hong Kong. Ride-sharing giant Didi did the same, withdrawing from the New York Stock Exchange and announcing plans to move to Hong Kong after a very hot initial listing, but continued to face regulatory difficulties from the CAC even after it committed to this course of action.
No date has been set for the issuance of the catalog of recommended inspection agencies, but the CAC has said that organizations cannot use the same provider for more than three compliance audits in a row.