Explainer | What China’s strict new data export guidelines mean to international businesses

Beijing’s new security assessment guidelines for cross-border data transfers, which could significantly raise compliance costs for international businesses operating in China, are more far-reaching than previously anticipated, but questions remain as to how the requirement would be implemented, said legal experts.

The Cyberspace Administration of China (CAC), the country’s powerful internet watchdog, published a set of draft guidelines on Friday, laying out when and how companies should get the agency’s approval before sending data out of China.

The country’s Cybersecurity Law, which came into force in 2017, compels data exporters to go through security assessments by the government, but authorities have so far provided few details on how the requirement would be implemented. The newly proposed guidelines have shed new light on the rule, obliging all businesses that process data gathered in China to conduct a self-review on the risks of transferring that data abroad.

Under the proposal, a government review is mandatory if the data exporter handles any personal information of more than 1 million Chinese residents, or the “sensitive” personal information of more than 10,000 people. Sensitive information is legally defined as data that, once leaked or illegally used, could easily harm the dignity of natural persons or put themselves or their property at risk, such as biometrics, religious beliefs, medical health, or personal data of children.

A green light from the CAC is also needed if the data transfer is carried out by “critical information infrastructure operators”, or any firms that need to transfer “important” data – a term that currently has no clear official definition.

“The scope that’s included [where companies need to be assessed by the CAC] is bigger than expected,” said James Gong, partner at Bird & Bird law firm in Beijing.