China: Cyberspace Administration's Measures for Administration of Compliance Audits on Personal Information Protection including cross-border data transfer regulation enter into force

On 1 May 2025, the Cyberspace Administration of China (CAC)’s Measures for the Administration of Compliance Audits on Personal Information Protection enter into force. The measures establish a framework for auditing personal information processing activities in China and apply to all personal information processors operating within the country. Processors handling data of over 10 million individuals must conduct audits at least every two years. Authorities may mandate external audits if data processing poses significant risks, affects many individuals, or involves major security incidents. In such cases, professional institutions must conduct the audit. Professional audit institutions must meet competency standards and are encouraged to obtain certification. They cannot subcontract audits and must conduct them impartially while safeguarding confidential information. Processors handling data of over 1 million individuals must appoint a data protection officer. Large platforms with extensive users and complex operations should establish independent oversight bodies. Protection departments will supervise audits and investigate violations, while individuals and organisations can report non-compliance. Repeated audits by the same institution or individual are restricted to prevent conflicts of interest.