The Cyberspace Administration of China requires companies that seek to export their mainland data to provide relevant information about the data centre overseas tasked to handle such transfer. Photo: Shutterstock
Source:
https://scmp.com/tech/policy/article/3191001/chinas-new-cross-border-data-transfer-law-takes-effect-saddling-firms Policy
China’s new cross-border data transfer law takes effect, saddling firms with increased paperwork, compliance costs, scrutiny
- The Cyberspace Administration of China requires firms to submit a self-assessment report, which includes the recipient of the data to be transferred
- Once documentation is completed, the internet regulator will conduct a security review that could take up to 45 working days
The new regulation’s requirement to submit potentially sensitive information, such as where the recipient will store the data to be transferred, could be of concern to affected companies. Photo: Shutterstock
China’s strict new cross-border data transfer regulation, which took effect on September 1, requires all affected companies to fill in and submit a slew of paperwork to the country’s internet watchdog for review, steps that may further complicate and raise compliance costs for many international businesses in the world’s second-largest economy.
Documents required by the Cyberspace Administration of China (CAC) include a self-assessment report that provides detailed information about the company seeking to export data, the recipient overseas and how they will handle the data, according to the guidelines published by the agency on Wednesday, the day before the regulation came into force.
That process covers firms with more than a million Chinese citizens as users, those seeking to export “important data”, those handling the personal information of more than 100,000 Chinese individuals, and those with the “sensitive” personal data of more than 10,000 people since the beginning of the previous year.
Such entities need to state in their application form, for example, the name of the data centre that will handle the information to be transferred, as well as the physical location and internet protocol addresses of the relevant server rooms in such a facility, according to the CAC.
Data centres are secure, temperature-controlled facilities built to house large-capacity servers and data storage systems, which are backed by multiple power sources and linked to high-bandwidth internet connections. These sites are largely used to host cloud computing operations.
While companies that have been tracking developments about this matter “will be pleased to see consistency” between the guidelines and previously released data regulations, the latest directive brings up more unanswered questions, according to Alex Roberts, counsel for technology, media and telecommunications at law firm Linklaters in Shanghai.
These companies could potentially be frustrated by the absence of guidance on how to make the key risk calculation for the self-assessment report, Roberts said on Thursday.
“Not knowing whether this report should be a concise four-pager versus a 20-page detailed dossier on sensitive security protocols and vulnerabilities will be a point of contention for information security teams across the country,” he said.
The requirement to submit potentially sensitive information, such as where the recipient will store the data to be transferred, could also be of concern, Roberts said. He indicated that if such detailed information was leaked, criminals could try to launch targeted cyberattacks against these businesses.
Under the new law and its formidable regulator, international companies operating on the mainland have no recourse but to find ways to comply to keep doing business in the country.
The CAC review process is expected to apply to a broad range of companies, based on the guidelines’ categories. The new regulation, however, has not properly defined what makes up “important data”.
Companies must first submit the required paperwork to the CAC’s provincial bureaus. Once the filed documents are deemed complete, the main CAC office in Beijing will conduct a security review that could take up to 45 working days. The agency also has the discretion to conduct a longer or indefinite review.
Still, the new regulation does not specify whether data flows from Hong Kong and Macau are also covered. In practice, the two special administrative regions – which are governed under the one country, two systems principle – are often treated as areas outside China’s borders.
In a statement published on Thursday, Hong Kong’s Office of the Privacy Commissioner for Personal Data reminded local enterprises – including banks, insurance companies and securities firms that do business on the mainland – to take steps and conduct a self-assessment if they meet the CAC’s criteria. The office also said it will organise a webinar on the subject to help companies understand this new Chinese regulation.
While Beijing is still fleshing out the details of its growing web of data laws, doubts have been cast on Hong Kong’s status as an international gateway because the new measures could mean that it could be more troublesome for companies to store their data in the city than keep such information on the mainland.