China new cross-border data transfer rules and what it means for international firms

China new cross-border data transfer rules and what it means for international firms. (Photo by Hector RETAMAL / AFP) / TO GO WITH AFP STORY HEALTH-VIRUS-CHINA-DIPLOMACY-WUHAN,FOCUS BY DAN MARTIN

How will new cross-border data transfer rules in China impact international firms

  • The new data rules require a mandatory security review for any firm that handles the personal information of more than one million Chinese residents.
  • Based on the latest data rules, the Cyberspace Administration of China even has the discretion to conduct a security review indefinitely
  • The new law and a formidable regulator to top it off would mean international businesses will have to find ways to comply to keep doing business on the mainland.

Once a freewheeling internet, China has been facing unprecedented actions and regulations over the last few years, as the world’s largest online population awakens to privacy concerns. In fact, just one year ago, the country approved one of the world’s strictest data privacy laws known as the Personal Information Protection Law. While it may seem like a good chance for the country to rest on its laurels, regulators have different plans and slowing down is not one of them.

To strengthen its stranglehold on its economy, China will, from September onwards, implement a set of strict and new cross-border data transfer regulations. The move is expected to complicate and significantly raise compliance costs for the operations of many international businesses in the country. To recall, the national privacy law passed last year was China’s first, closely resembles the world’s most robust framework for online privacy protections, Europe’s General Data Protection Regulation.

That law, the Personal Information and Protection law (PIPL), contains provisions that require any organization or individual handling Chinese citizens’ personal data to minimize data collection and to obtain prior consent. Separately, even the country’s Data Security Law that was rolled out in September, a few months before PIPL, imposes tough penalties for the unauthorized collection, processing, storage and use of data generated in the country.

This time around, based on the finalized regulation published by internet watchdog the Cyberspace Administration of China (CAC), “important” and massive data transfers from China to destinations outside its borders are subject to security review. To top it off, the CAC has the discretion to conduct a review indefinitely. In essence, a security review is mandatory for a firm that handles the personal information of more than one million Chinese residents. 

The internet watchdog’s green light is especially required if a data transfer is carried out by “critical information infrastructure operators”, or any firm that needs to transfer “important” data. Approval given to a data exporter is valid for two years, and it must apply for another review 60 working days before an approval comes to an end. Additionally, any entity which has handled “sensitive” personal data of more than 10,000 people since the start of the previous year  will also require security review. 

Even those that have handled personal information of more than 100,000 Chinese citizens. Conclusively, it would generally cover any large or mid-sized foreign company in China that needs to export Chinese clients’ data to their overseas head office for analysis or review.

In a statement, the CAC said that the regulation comes at a time when the “digital economy is prospering and cross-border data activities are growing”. Apart from regulating data export activities, the new rules aim to “protect the rights and interests of personal information, and safeguard national security and social public interests”.

What does ‘important’, ‘sensitive’ data mean for China?

According to South China Morning Post, Important data is defined as information “that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, damaged, leaked or illegally obtained or illegally used”, according to the new regulation. That sweeping definition may cover data related to finance, healthcare and even consumer spending.

The regulation defines sensitive data as information that – once leaked or illegally used – could harm the dignity of natural persons, or put themselves or their property at risk. That could include biometrics, religious beliefs, medical health and personal data of children. Overall, according to the particularities and definitions, the new rules, paired with a formidable regulator, would mean that international organizations will have to find ways to comply to keep doing business on the mainland.

Interestingly, China is also currently dealing with one its biggest data leak cases in history. With data of nearly a billion individuals in China leaked and sold online, the new data transfer rules would only become ever so more relevant for the country.