China Introduces New Data Compliance Rules for Accounting Firms
#China
In the digital age, data security has become an important issue in enterprise operations, especially for accounting firms that handle a large amount of sensitive financial information, data security management is particularly important. Recently, the Ministry of Finance and the Cyberspace Administration of China issued the Interim Measures for Data Security Management of Accounting Firms (hereinafter referred to as the “Interim Measures”), which will come into force on October 1, 2024. The Interim Measures aim to provide clear guidance for accounting firms on data security management, strengthen data security management, and promote the healthy development of the industry. This article will give a brief introduction of its contents.
The Interim Measures specify the applicable objects
Interim Measures shall apply to the data processing activities associated with the following audit services provided by accounting firms that are lawfully established in the territory of the People’s Republic of China: (1) provision of audit services to listed companies, and state-owned financial institutions and central enterprises that are not listed, etc.; (2) provision of audit services to critical information infrastructure operators or online platform operators with more than one million users; and (3) provision of audit services to domestic enterprises for overseas listing. Interim Measures shall also apply to the audit businesses of accounting firms that are beyond the scope specified in the preceding paragraph but involve important data or core data.
Accounting firms should conduct classified and graded management of data
The Interim Measures require that the accounting firm shall, in accordance with the provisions of relevant laws and regulations and the standards of data classification and classification of the industry in which the audited unit is located, determine the core data important data and general data, and make clear requirements on the storage of the core data and important data related to log transmission, and the audited unit has the obligation to inform the accounting firm of the core data and important data related information in the audit materials though the business engagement letter Confirmation letter and other means.
Import Data
Core Data
General Data
Data storage
The information systems for storing important data shall meet the requirements for graded cybersecurity protection at Level 3 or above.
The information systems for storing core data shall meet the requirements for Level 4 graded cybersecurity protection.
The interim measures do not make requirements
Log management
If any important data is involved, relevant log shall be retained for no less than one year; if any important data is provided to others, processed as entrusted, or processed jointly, relevant log shall be retained for no less than three years.
If any core data is involved, relevant log shall be retained for no less than three years.
Audit working papers should be stored in China
The Interim Measures stipulate that the audit working papers of accounting firms shall be stored in China in accordance with relevant regulations. An accounting firm shall not include in the business agreement or similar contract similar clauses such as the provision of domestic project information and data by the accounting firm to overseas regulatory authorities. If an overseas regulatory authority truly needs to obtain domestic audit working papers due to regulatory needs, it shall obtain them through the corresponding cross-border regulatory cooperation mechanism in accordance with laws and regulations, and the corresponding audit working papers shall go through approval formalities when leaving the country. Accounting firms shall establish a step-by-step review mechanism for the export of audit working papers, and implement data security management and control responsibilities.
Accounting firms shall strengthen cyber security management & establish data backup system
The Interim Measures set out specific requirements for accounting firms to establish internal network security management systems, investment in network management resources, network security technical protection, and network management account authority, and ensure information system security management and technical protection, set up strict access control policies, and prevent unauthorized access.
Additionally, the accounting firms shall establish data backup system to ensure that they can still access, retrieve and use relevant audit working papers in the event that the use of audit-related application systems is suspended or restricted due to external technical reasons. Encryption devices shall be set up within the territory of the country and shall be operated and maintained by the domestic team, and the keys shall be stored within the territory.
In summary, the Interim Measures further regulate the data processing activities of accounting firms, especially the cross-border transfer of the working audit papers and strengthen data security management. Accounting firms should carry out data compliance work in light of their own business conditions, to ensure that business activities are carried out in compliance manner.
Jennie Lin
Associate
Jennie Lin, a Junior Associate at D’Andrea & Partners Legal Counsel, is based in the Shanghai office.
Background Overview On the evening of October 19, 2024, the State Council officially announced the Regulations of the People’s Republic of China on the Export Control of Dual-Use Items (hereinafter referred to as the “Regulations”), which will take effect on December 1. The Regulations aim to address issues such as the relatively scattered nature of
Overview In September 2024, China’s Ministry of Foreign Commerce (MOFCOM) launched an investigation into the business activities of PVH Corp. (the parent company of Calvin Klein and Tommy Hilfiger among other brands) under the allegation that the company violated normal market trading practices in China. MOFCOM suspects that PVH severed contracts between itself and cotton
On November 13, 2024, the 2024 ASEAN-China Greater Bay Area Economic Cooperation (Qianhai) Forum was held in Qianhai, Shenzhen City, China. The theme of the forum was “Technological Leadership, Industrial Synergy.” This year’s forum included five sub-forums, enterprise exchange exhibitions, and industrial cooperation matchmaking events. This year is the second consecutive year of the forum.
#China
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.