South China Morning Post
Advertisement
Advertisement
Internet
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Beijing is becoming more protective of data being accessed by entities outside mainland China. Photo: Shutterstock Images
ChinaPolitics

Companies in China to conduct regular personal data compliance audits under new rules

  • Internet regulator’s draft regulation requires all firms to carry out the audits
  • They include security checks for personal information being sent overseas
Internet
Vanessa Cai
Vanessa Caiin Shanghai
Why you can trust SCMP

China’s internet regulator will require all companies dealing with personal data to conduct regular compliance audits, including security checks for data provided to overseas entities.

All companies with more than 1 million users will have to carry out at least one audit a year on their compliance with rules on managing users’ personal data, according to a draft regulation released on Thursday by the Cyberspace Administration of China.

Service providers with less than 1 million users will have to conduct an audit every two years.

The CAC is seeking public feedback on the draft regulation for a month until September 2.

Audits on data being sent overseas will include checking whether personal information is provided to overseas judicial or law enforcement agencies, and if that is being done after receiving the required approval from Chinese authorities.

The Cyberspace Administration of China has launched a public consultation on the draft regulation. Photo: Baidu

Companies will also have to review whether people handling data understand the personal information protection policy and cybersecurity environment of the country or region the data is sent to.

In addition, the audits are expected to make sure companies follow existing security assessment requirements for data and information sent overseas. Companies with more than 1 million users need official security approval to share information with overseas parties. Those that have provided the data of more than 100,000 users, or sensitive data of more than 10,000 users, to overseas entities since January 1 of the previous year must also get approval and will have to review the process.

The CAC said the draft regulation aimed to “provide guidance and regulate compliance audits” for personal data protection, based on laws and regulations including the Personal Information Protection Law.

Data exchange in Guizhou makes China’s first sale of personal data

Companies that deal with personal data will also be required to take measures to ensure overseas recipients handle data in line with China’s personal information law.

Compliance audits should focus on reviewing whether data processors have knowledge about the overseas entities’ data protection, according to the draft regulation.

They should also check whether recipients have been informed about relevant Chinese laws and regulations, and whether measures are taken to make sure recipients fulfil their obligations on data protection.

China reveals plans for data enforcement super agency

It comes as Beijing is becoming more protective of Chinese data being accessed by entities outside mainland China.

In 2021, Chinese regulators torpedoed a bid by ride-sharing giant Didi Chuxing to go public in New York, citing concerns related to data security risks and “national security”.

Meanwhile, Beijing has also been seeking to tighten control and improve oversight of how personal data is handled in China in recent years.

The Data Security Law, which took effect in 2021, limits the ways data can be processed and sets hefty penalties for companies that transfer key data overseas without authorisation from the government. The personal information law took effect the same year and places restrictions on how personal data can be collected, used and managed.

The CAC also brought in a “standard contract” for personal data leaving the country in June – a compliance requirement for companies that handle the personal data of up to 1 million Chinese users.
1