China Justice Observer

中司观察

EnglishArabicChinese (Simplified)DutchFrenchGermanHindiItalianJapaneseKoreanPortugueseRussianSpanishSwedishHebrewIndonesianVietnameseThaiTurkishMalay

China Tightens Corporate Personal Data Audit Rules

Thu, 08 May 2025
Categories: China Legal Trends

On 14 Feb. 2025, China’s Cyberspace Administration released the “Measures for the Administration of Personal Information Protection Compliance Audits” (个人信息保护合规审计管理办法, hereinafter the “Measures”), which shall come into force on 1 May 2025. The Measures clarifies corporate obligations in compliance audits to strike a balance between data utilization and personal information protection.

In recent years, China has established a data protection framework through the “Personal Information Protection Law” (个人信息保护法) and the “Regulations on Network Data Security Management” (网络数据安全管理条例), which require companies to conduct regular compliance audits.

The Measures provides detailed implementation guidelines, specifying audit procedures, institutional qualifications, and rectification obligations to enhance the transparency and legality of personal data processing.

The highlights of the Measures are as follows.

  • Companies that process the personal information of more than 10 million individuals shall conduct audits at least once every two years, while other companies can determine a reasonable frequency.
  • If regulatory authorities identify major risks (e.g., data breaches or user rights violations), they may require the company to commission a third-party professional audit.
  • The same professional institution or any of its affiliated institutions or the same person in charge of compliance audits shall not conduct personal information protection compliance audits for the same auditee for three or more times in a row.

 

 

Photo by manos koutras on Unsplash

Contributors: CJO Staff Contributors Team

Save as PDF

You might also like

ABLI-HCCH webinar: Cross-Border Commercial Dispute Resolution – Electronic Service of Documents and Remote Taking of Evidence (July 10, 2025)

The Asian Business Law Institute (ABLI) and the Hague Conference on Private International Law (HCCH) will host their fourth joint webinar on July 10, 2024 (5:00–6:10 PM SGT), focusing on electronic service of documents and remote taking of evidence under the Service and Evidence Conventions, featuring expert speakers, with an early bird discount available until June 10.

China Tightens Corporate Personal Data Audit Rules

In February 2025, China's Cyberspace Administration issued the "Measures for the Administration of Personal Information Protection Compliance Audits," effective May 1, 2025, mandating regular audits for companies, especially those processing data of over 10 million individuals, to ensure transparency and legality in personal data handling.

SPC Releases Typical Cases on Telecom Fraud Crimes

In February 2025, China's Supreme People's Court (SPC) released eight typical telecom fraud cases, exposing new criminal methods and highlighting intensified judicial efforts after handling 31,000 such cases in 2023.

SPC Targets Cyber Extortion with Typical Cases

In February 2025, China’s Supreme People’s Court (SPC) released six typical cases showcasing its crackdown on emerging cyber extortion crimes, including spreading rumors and sextortion, to encourage victims to seek legal protection.

China Issues New Rules on Foreign-Related IP Disputes

In March 2025, China issued regulations effective May 1, 2025, to enhance dispute resolution, evidence collection, and countermeasures for foreign-related intellectual property disputes, strengthening services and enterprise capabilities.

SPC Issues China’s First Anti-Anti-Suit Injunction (AASI) in IP Case

In December 2024, China’s Supreme People’s Court (SPC) issued its first anti-anti-suit injunction in a patent dispute, Huawei v. Netgear, prohibiting Netgear from obstructing Huawei’s Chinese litigation, marking a significant step in global standard-essential patent governance.

SPC Launches Diversified Dispute Resolution Case Database

In February 2025, China's Supreme People's Court launched a public “Diversified Dispute Resolution Case Database” with over 200 cases, showcasing mediation and arbitration examples across various dispute types to guide alternative dispute resolution.