The Chinese government recently published a draft of proposed regulations that could potentially compel specific data processors to undergo annual or biennial audits. This first draft, labeled as the “Administrative Measures for Compliance Auditing of Personal Information Protection”, has been unveiled on the Chinese Cyberspace Office’s website, marking a significant regulatory move in Asia’s largest economy.
The proposed regulations highlight compulsory annual certification for data handlers holding sensitive details of over a million individuals. Entities possessing data on fewer persons would be examined biennially. Significantly, these stipulations would extend to multinational firms operating within China, setting new operational standards for European and American companies operating in this giant Asian market.
The draft regulations temper the compliance requirements with a measure of flexibility. While organizations will have the prerogative to conduct autonomous security audits, the government retains the power to mandate external audits. Such interventions would be more likely in situations garnering increased risks of data breaches. In these circumstances, audits must be completed within 90 days, and the final reports are to be submitted directly to the Chinese government.
Furthermore, the proposed regulations detail an obligation for companies to devise and implement response protocols for data breaches and emergent contingencies. The period for public discussion regarding the draft regulations will span until September 2, 2023, through government-linked channels.
The new regulations are slated to become operational by January 1, 2024. This comes in the wake of two previous regulations passed by China in the sphere of data security; the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) in 2021. These latest proposed regulations are being built upon the existing legal framework established by the PIPL.
For more details, please refer the original news published on JURIST – News.