Authored by: Atticus Zhao, Jerry Wang , Jane You and Dannie Sima
Compliance audits for personal information protection have drawn great attention in China for a while.
Back to 1 November 2021, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”) explicitly requires for the first time at the legislation level that personal information processing activities shall undergo regular compliance audits.
The personal information protection compliance audit (“PIPCA”) has since become a statutory obligation for personal information processors (“PI processors”) subject to the PIPL. The PIPCA requirement is also reiterated in the Cyber Data Security Management Regulations which was implemented on 1 January 2025.
On 14 February 2025, the Cyberspace Administration of China (CAC) officially issued the Administrative Measures for the Personal Information Protection Compliance Audit (the “PIPCA Measures”), which will become effective on 1 May 2025. It took about one and a half year for the issuance of the final version since its first draft for public comments issued in August 2023.
The PIPCA Measures including its appendix (the “PIPCA Guidelines”) specify detailed requirements for PI processors to conduct PIPCA, highlighting the important role of PIPCA in personal information protection compliance.
This article summarizes the key takeaways from the PIPCA Measures.