Edition:
HIGHLIGHTS
Donald Trump’s China policy
NEW
US-China relationsHong Kong economy
News
Hong KongChinaEconomyAsiaWorldSportThis Week in AsiaUS Elections
Business & Tech
BusinessTech
Opinion
Latest
Lifestyle
LifestylePeople & CultureStylePostMagK-popOutdoorCooking
More +
VideoTalking PostSCMP FilmsInfographicsPicturesPodcastsSCMP SeriesExplainedSCMP SpotlightNewslettersSpecial Reports
Topics
Donald Trump’s China policyUS-China relationsHong Kong’s Article 23 national security lawChina’s militaryChina's economic recoveryTrending in ChinaTaiwanChina’s Communist PartyUkraine warWellness
Focus
Greater Bay Area
avatar image
Advertisement
Cybersecurity
TechBig Tech

China to implement strict new cross-border data transfer rules from September, complicating operations of international firms

  • Under the new rules, a security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents
  • The Cyberspace Administration of China has the discretion to conduct a security review indefinitely

Reading Time:3 minutes
Why you can trust SCMP
0
China’s latest cross-border information regulation does not specify whether data flows between the mainland and Hong Kong will also be subject to security reviews. Illustration: Shutterstock
Coco Feng
China will implement from September its strict new cross-border data transfer regulation, which is expected to complicate and significantly raise compliance costs for the operations of many international businesses in the country.
The finalised regulation, published by internet watchdog the Cyberspace Administration of China (CAC) on Thursday, will require “important” and massive data transfers from China to destinations outside its borders to be subject to security review. The CAC has the discretion to conduct a review indefinitely.

A security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents. Approval given to a data exporter is valid for two years, and it must apply for another review 60 working days before an approval comes to an end.

The new regulation, however, does not specify whether data flows between the mainland and Hong Kong will also be covered by that same scrutiny. In practice, Hong Kong and Macau – which are governed under the one country, two systems principle – are often regarded as outside China’s borders.
The Cyberspace Administration of China says the new regulation comes at a time when the country’s digital economy and cross-border data activities are expanding. Photo: Shutterstock
The Cyberspace Administration of China says the new regulation comes at a time when the country’s digital economy and cross-border data activities are expanding. Photo: Shutterstock

The internet watchdog’s green light is required if a data transfer is carried out by “critical information infrastructure operators”, or any firm that needs to transfer “important” data.

Important data is defined as information “that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, damaged, leaked or illegally obtained or illegally used”, according to the new regulation. That sweeping definition may cover data related to finance, healthcare and even consumer spending.

Coco Feng
Coco Feng
Coco Feng joined the Post in 2019, covering the technology and internet sector from the Greater Bay Area. Previously, she worked at the Post's Beijing bureau.
scmp poll
Advertisement
Before you go
related topics
Cybersecurity
Internet | Regulation | China technology | Hong Kong | Macau
Discover MORE stories on
Cybersecurity
now and stay updated with

Crypto exchange Coinbase warns of US$400 million hit from cyberattack

Pro-Duterte candidates in Philippine polls accused of unfair advantage

Dr DeepSeek? Hospital adoption is ‘too fast’, Chinese researchers warn

Advertisement