China: Cyberspace Administration released Measures for Administration of Compliance Audits on Personal Information Protection including cross-border data transfer regulation

On 12 February 2025, the Cyberspace Administration of China (CAC) released the Measures for the Administration of Compliance Audits on Personal Information Protection. The measures establish a framework for auditing personal information processing activities in China and apply to all personal information processors operating within the country. Processors handling data of over 10 million individuals must conduct audits at least every two years. Authorities may mandate external audits if data processing poses significant risks, affects many individuals, or involves major security incidents. In such cases, professional institutions must conduct the audit. Professional audit institutions must meet competency standards and are encouraged to obtain certification. They cannot subcontract audits and must conduct them impartially while safeguarding confidential information. Processors handling data of over 1 million individuals must appoint a data protection officer. Large platforms with extensive users and complex operations should establish independent oversight bodies. Protection departments will supervise audits and investigate violations, while individuals and organisations can report non-compliance. Repeated audits by the same institution or individual are restricted to prevent conflicts of interest. The measures take effect on 1 May 2025.