China: Opened consultation on Administrative Measures for Personal Information Protection Compliance Audit including operating conditions

On 3 August 2023, the Cyberspace Administration of China (CAC) opened a consultation on the draft Administrative Measures for Personal Information Protection Compliance Audit until 2 September 2023. The proposed Measures would require service providers processing personal information on more than 1 million people to conduct compliance audits at least once a year, and service providers with less than 1 million users at least every 2 years. Authorities can require organisations found to have faulty personal information handling processes to undergo further audits. Audits, which can be done internally or by third parties, should evaluate compliance with consent, notice, sharing, storage, security, and other requirements in China's Personal Information Protection Law. The results must generally be submitted to regulatory authorities within 90 days and organisations must rectify the issues identified. Large internet platforms have specific auditing requirements regarding their rules, oversight of platform vendors, annual social responsibility reports, and independent personal information oversight bodies.