+44 (0) 121 582 0192 [email protected]


The Personal Information Protection Law (PIPL) in China, a cornerstone of the country’s data privacy framework, is set to undergo a significant shift. On August 3, 2023, the Cyberspace Administration of China (CAC) released the Personal Information Protection Compliance Audit Management Measures (Draft for Comments) – the “Draft Audit Measures”. This proposal suggests a new compliance audit regime for companies handling personal information (PI) of individuals in China, marking a pivotal moment in the evolution of China’s data protection landscape. In this article Draft Audit Measures Under China’s PIPL: What Businesses Need to Know we delve into the requirements and impact.


Understanding the Draft Audit Measures

The Draft Audit Measures propose regular compliance audits for companies processing the PI of subjects in China. These audits assess conformity with the PIPL’s protection requirements and related regulations. Key points include:

  1. Mandatory Annual Audits: Companies handling the PI of over one million individuals must undergo a compliance audit annually.
  2. Biennial Audits for Others: All other companies processing PI must have an audit every two years.
  3. Self-Auditing Flexibility: Companies can conduct these audits internally or through an entrusted third-party agency.


Impact on Professional Audit Institutions

Interestingly, the Draft Audit Measures primarily target the professional third-party institutions responsible for conducting these compliance audits. This aspect underscores the growing role of external auditors in enforcing PIPL compliance.


Public Consultation and Current Status

Following the release, the CAC sought public feedback until September 2, 2023. However, as of now, updates on potential amendments or official adoption have yet to be announced.


Implications for Foreign Companies

If enacted in their current form, these measures will increase the compliance burden for foreign firms operating in China, akin to statutory financial audits. Yet, most companies have already been adapting to China’s expanding PI protection regulations, which may ease the transition to these new requirements.


Uncertainty and Future Prospects

Despite these developments, it remains to be seen whether these measures will be implemented, particularly considering recent efforts to streamline compliance for foreign entities. This uncertainty adds a layer of complexity for companies strategising their operations in China.



The Draft Audit Measures under China’s PIPL signify a critical step in the country’s data protection journey, potentially reshaping how businesses manage PI compliance. As China’s regulatory landscape evolves, companies must stay informed and agile, ready to adapt to these and future changes in data privacy laws.