Recently, China and the United States signed the Agreement on Audit Cooperation and Inspection, allowing inspectors and investigators of the Accounting Oversight Board (PCAOB) of listed companies in the United States to go to Hong Kong to review the audit materials of Chinese companies listed in the United States, including the complete audit manuscript of all information. According to media reports, Alibaba, JD and Yum China will become the first enterprises to be audited and inspected. Since the audit manuscript contains a large amount of data and personal information of domestic users (hereinafter collectively referred to as "data"), I would like to talk to you today about whether the review of the audit manuscript by the US side is considered data going abroad? According to domestic laws and regulations, what procedures should be followed for these data to leave the country?

For data exit, China's Cyber Security Law, Data Security Law, Personal Information Protection Law, and Data Exit Security Assessment Method all have provisions. The latest provision is the Data Exit Security Assessment Application Guide (First Edition) issued on August 31, 2022, which specifies the specific requirements for data exit security assessment application methods, application processes, application materials, etc.

一、 Does the audit work paper involve outbound data that need to be supervised?

The audit work draft is all the audit work records and information obtained by the auditors during the audit work. It is not limited to the accounting draft, but may also include financial data and business data. Many of China's listed companies in the United States are well-known domestic Internet enterprises in various fields such as science and technology, media, communication industry, education, automobile, and local life. They have a large amount of personal information and sensitive personal information, as well as important data related to key industries such as science and technology, communications, and so on, which will be reflected in the audit manuscript.

If the audited enterprises involve the operators of key information infrastructure, or the personal information and important data collected and generated in the operation in China, their audit work papers may indeed contain personal information or important data. According to the provisions of the Measures for Data Exit Security Assessment, data processors who provide important data abroad shall report the data exit security assessment to the Chinese government.

二、 Whether reviewing the audit work draft belongs to data exit?

According to the provisions of the Measures for the Safety Assessment of Data Exit, the data processor will transfer and store the data collected and generated in domestic operations overseas; As well as the data collected and generated by data processors are stored in China, and overseas institutions, organizations or individuals can query, retrieve, download and export them, all of which belong to data exit behavior.

Therefore, if the audit work paper involves personal information or important data, the review of the audit work paper by the Accounting Oversight Committee of Listed Companies in the United States belongs to data exit. As the responsible subject, domestic audit institutions need to perform necessary procedures such as data exit security assessment or network security review in accordance with relevant laws and regulations of China.

三、 What data exit procedures may be stipulated in the Agreement on Audit Cooperation and Inspection?

The contents of the Sino US Agreement on Audit Cooperation and Inspection have not been published at present, but the head of China Securities Regulatory Commission mentioned the issue of data exit procedures in answering questions from reporters: the cooperation agreement has made clear agreements on the processing and use of sensitive information that may be involved in audit supervision cooperation, and has set up special processing procedures for specific data such as personal information, It provides a feasible path for both parties to protect relevant information security while fulfilling their statutory regulatory responsibilities.

Considering that the exit of qualified personal information falls within the scope of the Measures for Data Exit Security Assessment, the content of this special processing procedure is likely to include the provisions of the Measures for Data Exit Security Assessment. According to the Measures, before leaving the country, the audit manuscript shall pass the data exit security assessment of the Chinese government. As the subject of declaration, the domestic audit institution shall pass the assessment. The most important thing is to conduct a self-assessment of the data exit risk first, and carry out the assessment according to the statutory key assessment items.

In the self-assessment, it is necessary to first determine and review whether the data in the audit manuscript constitute important data, and it needs to be combined with the national definition of "important data" and the identification of "important industry data" by the industry competent department. If it does not constitute important data, it is only for qualified personal information and sensitive personal information to leave the country, whether it is customer or other personal information involved in business, special attention should be paid to and review the scale, scope, type and sensitivity of outbound data, as well as the risks that data leaving the country may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations.

The Guidelines for Data Exit Security Assessment and Declaration (First Edition) also clearly requires that specific items to be disclosed by data processors must be listed in tabular form. The data size (MB/GB/TB), sensitivity (such as personal information), the number of natural persons involved and the number of important data are required to be filled in the "data to be exported". If personal information is involved, it must also comply with the requirements of the Personal Information Protection Law and relevant laws and regulations. For example, the exit of personal information has obtained the prior consent of the personal information subject.

四、 What constraints will the Accounting Oversight Board (PCAOB) of the United States be subject to?

According to the Measures for Data Exit Security Assessment, if the domestic audit institution wants to pass the data exit review, it must conclude a legal document containing specific contents with the overseas receiver of the data to clearly define its data security protection obligations. That is to say, the accounting supervision committee of listed companies in the United States and its designated audit institutions that review audit papers will also be bound by these legal documents. These include:

（1） The purpose, mode and scope of data exit, and the purpose and mode of data processing by the overseas receiver;

（2） The location and duration of data storage abroad, as well as the processing measures for outbound data after reaching the storage period, completing the agreed purpose or terminating the legal documents;

（3） Binding requirements for overseas recipients to transfer outbound data to other organizations and individuals;

（4） The overseas receiver shall take security measures when the actual control right or business scope has changed substantially, or the data security protection policies, regulations and network security environment of the country or region where it is located have changed, as well as other force majeure circumstances that make it difficult to ensure data security;

（5） Remedies, liabilities for breach of contract and dispute resolution methods for breach of data security protection obligations agreed in legal documents;

（6） When outbound data is subject to the risk of tampering, destruction, disclosure, loss, transfer or illegal acquisition, illegal use, etc., the requirements for proper emergency disposal and the ways and means to protect individuals' personal information rights and interests.

In the above contents, special attention should be paid to the purpose (I), data retransfer (III) and emergency measures after data accident (VI). First of all, the audit manuscript must only be used for the agreed purpose. The period for storing personal information is the shortest time necessary to achieve the agreed purpose. After the above storage period is exceeded, personal information should be deleted or anonymized. Secondly, it must be agreed that the outbound data shall not be transferred to other organizations or individuals. If so, the corresponding procedures must be performed according to law, including obtaining the individual's separate consent and reaching a written agreement with a third party. Finally, effective technical and management measures must be taken and regularly checked to ensure that these measures continue to maintain an appropriate level of security. In case of leakage, appropriate remedial measures shall be taken in a timely manner to fulfill the notification obligation (including notifying the personal information processor and China's regulatory authorities).

In addition, the domestic law of the United States also deserves attention. At present, the CLOUD Act of the United States adopts the data controller as the jurisdictional standard for data, that is, it allows the federal government of the United States to forcibly obtain the data of American enterprises, regardless of whether the data is stored in the United States. In this case, if it is found that the United States government wants to access the corresponding data, it should timely notify the domestic audit institutions and our regulatory agencies, and exhaust the legal remedies. However, the Agreement on Audit Cooperation and Inspection signed between China and the United States should also have an agreement on this issue.

Finally, the game between China and the United States is very complex, so even though the Audit Cooperation Inspection Agreement has been signed, the market still has doubts about whether it can be implemented. For example, in July 2022 before signing the agreement, Alibaba's 2022 financial annual report submitted to the U.S. Securities Regulatory Commission mentions that [: "Although the CSRC has issued the Provisions on Strengthening the Confidentiality and Archives Management Related to Overseas Issuance and Listing of Securities by Domestic Enterprises (Draft for Comments) Assisting the U.S. Public Company Accounting Oversight Committee in the inspection of Chinese accounting firms, but it is impossible to determine whether our audit firm or we can meet the requirements of the U.S. regulators. "

However, the author is still optimistic about this. The information in the audit manuscript can actually be followed in daily economic activities and reports. At most, it is a re confirmation of existing judgments. Since China and the United States have signed an agreement, it means that there has been a breakthrough in many areas where consensus could not be reached before. For both parties, the benefits of reaching consensus must outweigh the risks, so there is no need to be too nervous.