Opinion | Easier cross-border data transfers back up China’s business-friendly messaging with practical change

China has been building up a comprehensive and strict data regulatory framework over the last couple of years. With these rules, intended to ensure sufficient state oversight of cross-border data transfers, regulators have rushed to translate Beijing’s strategic security concerns into articulated rules that individuals and businesses must follow.

The impact of this move has been clear: with one law drafted after another, the state gradually increased its power over data with sometimes vague legislation, leaving government agencies to sort out the details of enforcement. Yet not even the administrative state has ironed everything out, leaving business executives and corporate lawyers scratching heads over what is allowed.

Some believe that new data rules are intentionally vague to give arbitrary power to regulators through impromptu implementation. More realistically, a sense of national emergency pushed Chinese regulators to rush new regulations before having a clear idea of how the rules could be implemented.

In this haste to plug loopholes or address potential security threats, business interests are often not fully considered – and sometimes they are sacrificed.

Another important regulation came into effect in September 2022, requiring that the export of “important data” and personal information go through a security review, again adding to business uncertainty.

Whether from a bank, hospital or travel agency, nearly any data generated in China could be seen as important or sensitive. This vague governance regime had seemingly created a nightmare scenario where simply sending a spreadsheet abroad required a security check. No company dare ignore the rules lest they risk a knock at the door from law enforcement.