avatar image
Advertisement

China to implement strict new cross-border data transfer rules from September, complicating operations of international firms

  • Under the new rules, a security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents
  • The Cyberspace Administration of China has the discretion to conduct a security review indefinitely

Reading Time:3 minutes
Why you can trust SCMP
0
China’s latest cross-border information regulation does not specify whether data flows between the mainland and Hong Kong will also be subject to security reviews. Illustration: Shutterstock
China will implement from September its strict new cross-border data transfer regulation, which is expected to complicate and significantly raise compliance costs for the operations of many international businesses in the country.
The finalised regulation, published by internet watchdog the Cyberspace Administration of China (CAC) on Thursday, will require “important” and massive data transfers from China to destinations outside its borders to be subject to security review. The CAC has the discretion to conduct a review indefinitely.

A security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents. Approval given to a data exporter is valid for two years, and it must apply for another review 60 working days before an approval comes to an end.

The new regulation, however, does not specify whether data flows between the mainland and Hong Kong will also be covered by that same scrutiny. In practice, Hong Kong and Macau – which are governed under the one country, two systems principle – are often regarded as outside China’s borders.
The Cyberspace Administration of China says the new regulation comes at a time when the country’s digital economy and cross-border data activities are expanding. Photo: Shutterstock
The Cyberspace Administration of China says the new regulation comes at a time when the country’s digital economy and cross-border data activities are expanding. Photo: Shutterstock

The internet watchdog’s green light is required if a data transfer is carried out by “critical information infrastructure operators”, or any firm that needs to transfer “important” data.

Important data is defined as information “that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, damaged, leaked or illegally obtained or illegally used”, according to the new regulation. That sweeping definition may cover data related to finance, healthcare and even consumer spending.

Coco Feng
Coco Feng joined the Post in 2019, covering the technology and internet sector from the Greater Bay Area. Previously, she worked at the Post's Beijing bureau.
Advertisement