Beijing’s new security assessment guidelines for cross-border data transfers, which could significantly raise compliance costs for international businesses operating in China, are more far-reaching than previously anticipated, but questions remain as to how the requirement would be implemented, said legal experts.
The Cyberspace Administration of China (CAC), the country’s powerful internet watchdog, published a set of draft guidelines on Friday, laying out when and how companies should get the agency’s approval before sending data out of China.
The country’s Cybersecurity Law, which came into force in 2017, compels data exporters to go through security assessments by the government, but authorities have so far provided few details on how the requirement would be implemented. The newly proposed guidelines have shed new light on the rule, obliging all businesses that process data gathered in China to conduct a self-review on the risks of transferring that data abroad.
Under the proposal, a government review is mandatory if the data exporter handles any personal information of more than 1 million Chinese residents, or the “sensitive” personal information of more than 10,000 people. Sensitive information is legally defined as data that, once leaked or illegally used, could easily harm the dignity of natural persons or put themselves or their property at risk, such as biometrics, religious beliefs, medical health, or personal data of children.
A green light from the CAC is also needed if the data transfer is carried out by “critical information infrastructure operators”, or any firms that need to transfer “important” data – a term that currently has no clear official definition.
“The scope that’s included [where companies need to be assessed by the CAC] is bigger than expected,” said James Gong, partner at Bird & Bird law firm in Beijing.
The proposed rules could mean that an international fashion brand, for instance, may need to go through the government if it wants to share Chinese consumer data with its head office, while a foreign company selling medical equipment may also have to apply for official approval to share large amounts of Chinese patient information with offices in other regions.
The requirement may apply even when those companies are transferring mainland data to Hong Kong or Macau, since Chinese entry and exit laws regard departures from the mainland to enter the two special administrative regions as “leaving the border”.
“At the moment, everyone is working on the basis that a transfer or access of data outside mainland China is [covered by the data security assessment requirement],” said Carolyn Bigg, partner at law firm DLA Piper in Hong Kong. “So for transfers to Hong Kong and Macau, organisations would need to comply with these rules.”
While the draft guidelines have provided businesses with a “much greater understanding of what needs to be done” to meet the data assessment requirement, there are lingering uncertainties, said Bigg.
Unanswered questions include whether the CAC needs to conduct a fresh assessment for each transfer by the same company, and whether international companies transferring data internally may get an exemption.
Others pointed out that the guidelines will endow the CAC with vast powers to dictate which data transfers to approve. The draft only said that the agency will take into consideration a number of factors when reviewing applications, such as the purpose and necessity of the data transfer, the receiving country’s data security policies and cybersecurity environment, and possible dangers if the data is leaked, tampered with or lost.
“This document gives the CAC considerable leeway to politicise the export of data,” policy research firm Trivium China wrote in its newsletter. “The agency gets to judge whether or not the data laws in the target country, and the contract terms of data export, provide sufficient data protection.”
Experts also questioned whether the CAC could cope with the high volume of applications that are expected to be filed once the guidelines are implemented. The watchdog said in the draft that the approval process would take 45 to 60 working days.
“I think most companies’ data transfer requests won’t be turned down,” said Bird & Bird’s Gong. “But what I’m concerned about is the CAC’s ability and speed at handling these requests. Even though it set a limit of 60 working days, considering the amount of applications, it’s a question whether the CAC could process them in time.”
Those questions could be answered in a second draft, according to Bigg, who said that previous versions of the draft rules, published in 2017 and 2019, were subject to substantial lobbying during their consultation periods.
“We fully expect that there will be the same amount of attention and response this time,” she said.
Beijing has been ramping up its efforts to keep important domestic data from going abroad with a web of new rules and regulations that could greatly increase business costs in China.
In July, the CAC released draft rules that said technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office – a group backed by 12 Chinese ministries – if they plan to file an initial public offering in a foreign market.
Earlier this month, the Ministry of Industry and Information Technology, one of the country’s leading technology regulators, unveiled a proposed regulation that seeks to block the export of core industrial and telecommunications data, marking China’s first regulatory attempt to draw up detailed rules under its sweeping Data Security Law rolled out this year.
scmp