China release additional rules for companies transferring data abroad

>>> THE WIRE - Walk You Through Every Trading Day

The Cyberspace Administration of China (CAC), the country’s internet watchdog, have proposed additional rules for companies that want to transfer Chinese data abroad.

According to the draft rules released on Friday, all businesses processing data gathered in China will need to conduct a self review on the risks involved in transferring their data outside Chinese borders, and a wide scope of data transfers will be subject to a government data security review before going overseas.

Companies need to obtain a green light from the CAC before exporting data include critical information infrastructure operators and “important data” owners, according to the draft rules.

For data gathered from the personal information of more than 1 million Chinese residents, a government review is mandatory before moving it across the border. Data involving more than 100,000 individuals or “sensitive” personal information of more than 10,000 people will also have to go through government review and approval.

That means an international consumer goods company will have to go through the government if it wants to share Chinese consumer data with its head office, while a foreign medical equipment company may have to apply for government approval to share large amounts of Chinese patient information with its regional or global head office.

While the draft rules clarified a range of matters regarding a data export security review, there are still uncertainties in how the rules will be implemented.

Sensitive personal information refers to data that, once leaked or illegally used, could easily cause harm to the dignity of “natural persons” or risk their personal or property safety, according to China’s Personal Information Protection Law. That could include information on biometric characteristics, religious beliefs, medical health, as well as the personal information of minors under the age of 14.

According to the latest set of draft rules, the CAC will take 45 to 60 working days to assess whether exports of data should be approved or rejected. Factors that the internet watchdog will take into consideration include the purpose and necessity of the data transfer, impact of the receiver country’s data security policies and its “cybersecurity environment”, and risks involved in cases where the data is leaked, tampered with or lost.

Beijing has been ramping up its efforts to keep important domestic data from going abroad, with a web of new rules and regulations that significantly raise compliance costs for business.

In July, the CAC released draft rules that said technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office – a group backed by 12 powerful Chinese ministries – if they plan an IPO in a foreign market.

Last month, China’s industry ministry drew up draft rules aimed at strengthening its new data security law, including defining “core” and “important” data for which cross-border transfers must receive approval.

The State Administration for Market Regulation said on Friday that super-large online platform operators should establish and improve data security reviews and internal control mechanisms. Data development activities involving the processing of users’ personal information and cross-border data flow must be carried out in strict accordance with laws and regulations to ensure data security.

The threshold of a million users, as clarified by the new rules, means almost all platforms operating in China which aspire to sell shares abroad need to go through a cybersecurity review, Liu Dingding, a Beijing-based internet sector analyst.

The Chinese regulator is patching up regulation shortcomings as companies make a leap forward on data proceedings, said Lu Chuanying, director of the Research Center for International Cyberspace Governance under the Shanghai Institute for International Studies. “It is a big trend for different countries to protect data.”