China drafts tough rules to stop data from leaving its borders as Beijing tightens grip on information

  • China
  • Sunday, 31 Oct 2021

A new set of draft rules released on Friday by the Cyberspace Administration of China (CAC), the country’s internet watchdog, have proposed additional requirements for businesses wanting to transfer Chinese data abroad, as Beijing seeks to tighten its grip on domestic data.

The draft regulations, which are likely to become official after the public feedback period ends on November 28, are set to have a far-reaching impact on the overseas listings of Chinese companies, and even day-to-day operations of multinationals operating in the country.

The new rules could also potentially affect data flows between the mainland and Hong Kong, as they cover all data leaving China’s “borders”. Under Chinese entry and exit laws, departures from the mainland to enter Hong Kong and Macau are regarded as “leaving the border”.

Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.

According to the draft, all businesses processing data gathered in China will need to conduct a self review on the risks involved in transferring their data outside Chinese borders, and a wide scope of data transfers will be subject to a government data security review before going overseas.

Firms that need to obtain a green light from the CAC before exporting data include critical information infrastructure operators and “important data” owners.

China faces cybersecurity talent shortage amid new data security rules

For data gathered from the personal information of more than 1 million Chinese residents, a government review is mandatory before moving it across the border. Data involving more than 100,000 individuals or “sensitive” personal information of more than 10,000 people will also have to go through government review and approval.

That means an international consumer goods company will have to go through the government if it wants to share Chinese consumer data with its head office, while a foreign medical equipment company may have to apply for government approval to share large amounts of Chinese patient information with its regional or global head office.

Sensitive personal information refers to data that, once leaked or illegally used, could easily cause harm to the dignity of “natural persons” or risk their personal or property safety, according to China’s Personal Information Protection Law. That could include information on biometric characteristics, religious beliefs, medical health, as well as the personal information of minors under the age of 14.

CT medical equipment seen at a recent exhibition in Beijing. Foreign suppliers of such equipment may now have to seek government approval to send patient data to their head office. Photo: Xinhua

According to the latest set of draft rules, the CAC will take 45 to 60 working days to assess whether exports of data should be approved or rejected. Factors that the internet watchdog will take into consideration include the purpose and necessity of the data transfer, impact of the receiver country’s data security policies, the “cybersecurity environment” of the data to be exported, and risks involved in cases where the data is leaked, tampered with or lost.

China vows ‘more substantial progress’ in tackling tech turmoil by year’s end

Beijing has been ramping up its efforts to keep important domestic data from going abroad, with a web of new rules and regulations that significantly raise compliance costs for business. In July, the CAC released draft rules that said technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office – a group backed by 12 powerful Chinese ministries – if they plan an IPO in a foreign market.

Earlier this month, the Ministry of Industry and Information Technology, one of the country’s most important technology regulators, released a draft regulation that seeks to block the export of core industrial and telecommunications data, marking China’s first regulatory attempt to draw up detailed rules under its sweeping Data Security Law rolled out this year.

Other government bodies and local governments are expected to draw up more detailed rules that would help explain and define concepts such as “critical information infrastructure operators” and “important data” under their jurisdictions.

More from South China Morning Post:

For the latest news from the South China Morning Post download our mobile app. Copyright 2021.

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights

SCMP , China , Data


Next In Aseanplus News

Asean News Headlines as at 9pm on Tuesday (May 24)
Quad nations warn against 'change by force' with eyes on China
India says 'substantive outcomes' from Biden, Modi talks
China foreign minister to stop at eight nations on Pacific tour
Hanoi's second metro line project delayed further five years
Probe into Thai AirAsia’s wrong runway landing to be ready in 30 days
Cambodia bans selling, drinking alcohol during upcoming commune polls
Man accused of Felicia Teo's murder in 2007 further remanded; second alleged murderer still at large
Dengue fever kills 36 across Myanmar in 2021
'I kill criminals, not children and elders': Duterte hits out at Putin

Others Also Read