On August 3, 2023, the Cyberspace Administration of China (CAC) released the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (the "Draft"), which is open for public comments until September 2, 2023.

The Draft stipulates that personal information processors who process personal information of more than one million individuals should conduct personal information protection compliance audits at least once a year, while other personal information processors should conduct such audits at least once every two years. It also specifies that departments responsible for personal information protection, as part of their duties, may request personal information processors to commission professional institutions for compliance audits on their personal information processing activities, when they identify significant risks in the personal information processing activities or encounter personal information security incidents. Moreover, the Draft requires that professional institutions must not subcontract or delegate the personal information protection compliance audits to third parties, and they should not maliciously disrupt the normal business activities of personal information processors during the audit process. The Draft also includes the release of the Reference Points for Personal Information Protection Compliance Audit.

(Source: Cyberspace Administration of China)