China to implement strict new cross-border data transfer rules from September, complicating operations of international firms
- Under the new rules, a security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents
- The Cyberspace Administration of China has the discretion to conduct a security review indefinitely

A security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents. Approval given to a data exporter is valid for two years, and it must apply for another review 60 working days before an approval comes to an end.

The internet watchdog’s green light is required if a data transfer is carried out by “critical information infrastructure operators”, or any firm that needs to transfer “important” data.
Important data is defined as information “that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, damaged, leaked or illegally obtained or illegally used”, according to the new regulation. That sweeping definition may cover data related to finance, healthcare and even consumer spending.