On 14 February 2025, the Cyberspace Administration of China (CAC) issued the Administrative Measures on Compliance Audits for Personal Information Protection (the Measures), which has come into effect on 1 May 2025. The Measures mark the transition of the personal information compliance audit regime, first established under the Personal Information Protection Law of the People’s Republic of China (PIPL) and the Regulations on the Administration of Network Data Security, from a legislative framework to actual implementation.
This memorandum addresses two key issues arising under the Measures: (i) whether enterprises are required to conduct compliance audits, and (ii) when and by whom such audits must be carried out.
Who Must Conduct Compliance Audits?
The PIPL provides for two types of audits.
- Periodic audits (Article 54 PIPL, Article 3 and 4 of the Measures) are a legal obligation for all personal information processors (equivalent of controller in PIPL context, hereafter “processor”). Enterprises processing the personal information of more than 10 million individuals must audit at least once every two years, while those processing minors’ personal information must audit annually (per the Regulations on the Protection of Minors in Cyberspace). Other enterprises may determine a reasonable cycle based on their processing volume, business model, and risk profile, typically every two to three years or on a targeted basis.
- Regulatory audits (Article 64 PIPL, Article 5 of the Measures) are triggered only when required by regulators. Under Article 5 of the Measures, such audits may be mandated where there are serious risks to personal rights, potential large-scale infringements, or major security incidents (e.g., breaches involving over one million individuals’ personal information or 100,000 individuals’ sensitive data).
Overseas processors subject to the PIPL’s extraterritorial provisions are also required to carry out periodic audits, though the Measures apply only to audits conducted within China (See Article 2 of the Measures).
When Should Audits Begin?
For most enterprises, the Measures do not impose a fixed timetable. Companies processing fewer than 10 million individuals’ data may decide their own cycle according to risk. Enterprises above the 10-million threshold must conduct audits at least once every two years, and in principle should complete one by 1 May 2025. Where regulators impose a mandatory audit, the deadline will be set by the authorities, with possible extensions in complex cases. Enterprises processing minors’ information remain subject to the annual audit requirement under the Regulations on the Protection of Minors in Cyberspace.
Who May Conduct Audits?
Enterprises may conduct periodic audits internally or by engaging external institutions. If conducted internally, the personal information protection officer leads the process.
The Measures require enterprises that operate major internet platforms, maintain very large user bases, or run complex businesses to establish an independent supervisory body composed mainly of external members to oversee the audit. Other enterprises are not required to do so, although separation of supervisory and compliance functions is recommended.
Regulatory audits must be conducted by professional institutions and cannot be performed internally.
Recommended Next Steps
It is recommended that enterprises, as the Measures take effect, consider the following actions:
- Review personal data processing activities and identify any sector-specific obligations.
- Put in place internal processes that support regular assessment, reporting, and remediation.
- Consider engaging external professional institutions to strengthen neutrality and demonstrate good-faith compliance.