A new set of draft rules released on Friday by the Cyberspace Administration of China (CAC), the country’s internet watchdog, have proposed additional requirements for businesses wanting to transfer Chinese data abroad, as Beijing seeks to tighten its grip on domestic data.
The draft regulations, which are likely to become official after the public feedback period ends on November 28, are set to have a far-reaching impact on the overseas listings of Chinese companies, and even day-to-day operations of multinationals operating in the country.
The new rules could also potentially affect data flows between the mainland and Hong Kong, as they cover all data leaving China’s “borders”. Under Chinese entry and exit laws, departures from the mainland to enter Hong Kong and Macau are regarded as “leaving the border”.
Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.
“It’s clear that the rules apply to Hong Kong,” said James Gong, partner at Bird & Bird law firm in Beijing.
According to the draft, all businesses processing data gathered in China will need to conduct a self review on the risks involved in transferring their data outside Chinese borders, and a wide scope of data transfers will be subject to a government data security review before going overseas.
Firms that need to obtain a green light from the CAC before exporting data include critical information infrastructure operators and “important data” owners.
For data gathered from the personal information of more than 1 million Chinese residents, a government review is mandatory before moving it across the border. Data involving more than 100,000 individuals or “sensitive” personal information of more than 10,000 people will also have to go through government review and approval.
That means an international consumer goods company will have to go through the government if it wants to share Chinese consumer data with its head office, while a foreign medical equipment company may have to apply for government approval to share large amounts of Chinese patient information with its regional or global head office.
While the draft rules clarified a range of matters regarding a data export security review, there are still uncertainties in how the rules will be implemented.
“In terms of businesses complying in practise, we still need time to accurately figure out how far the regulator is willing to go and how long it might take,” said Xia Hailong, a lawyer at the firm Shanghai Shenlun.
Sensitive personal information refers to data that, once leaked or illegally used, could easily cause harm to the dignity of “natural persons” or risk their personal or property safety, according to China’s Personal Information Protection Law. That could include information on biometric characteristics, religious beliefs, medical health, as well as the personal information of minors under the age of 14.
According to the latest set of draft rules, the CAC will take 45 to 60 working days to assess whether exports of data should be approved or rejected. Factors that the internet watchdog will take into consideration include the purpose and necessity of the data transfer, impact of the receiver country’s data security policies and its “cybersecurity environment”, and risks involved in cases where the data is leaked, tampered with or lost.
Beijing has been ramping up its efforts to keep important domestic data from going abroad, with a web of new rules and regulations that significantly raise compliance costs for business. In July, the CAC released draft rules that said technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office – a group backed by 12 powerful Chinese ministries – if they plan an IPO in a foreign market.
Earlier this month, the Ministry of Industry and Information Technology, one of the country’s most important technology regulators, released a draft regulation that seeks to block the export of core industrial and telecommunications data, marking China’s first regulatory attempt to draw up detailed rules under its sweeping Data Security Law rolled out this year.
Other government bodies and local governments are expected to draw up more detailed rules that would help explain and define concepts such as “critical information infrastructure operators” and “important data” under their jurisdictions.
More from South China Morning Post:
This article China drafts tough rules to stop data from leaving its borders as Beijing tightens grip on information first appeared on South China Morning Post