The Chinese government released proposed regulations that would require certain data processors to undergo annual or biennial audits on Thursday. The Chinese Cyberspace Office published the first draft text of the proposal, entitled “Administrative Measures for Compliance Auditing of Personal Information Protection” on its website.

The proposed regulations require annual certification for processors who possess sensitive data on over one million individuals. Those with fewer than one million individuals would undergo biennial audits. 

Multinational firms would be required to adhere to the regulations, challenging precedent for European and American entities in China. The regulations also extend to framework compliance and access to internal data by government-approved “professional auditors.”

While the draft regulations acknowledge that data processors have the prerogative to conduct autonomous security audits, the state retains the authority to require external audits, particularly in circumstances posing heightened risks of data breaches. In cases involving governmental oversight, the auditing process must be completed within 90 days, with final reports submitted directly to the Chinese government.

The regulations would also mandate companies to create response plans for data breaches and emergent contingencies.

Public engagement on the proposed regulations will continue via local channels linked to governmental systems until September 2, 2023. The regulations will take effect on January 1, 2024.

China previously passed two other data security measures, the Personal Information Protection Law (PIPL) and Data Security Law (DSL) in 2021. These regulations were made pursuant to the PIPL.