South China Morning Post
Advertisement
Advertisement
Cybersecurity
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
China’s MIIT is tightening its rules on data transfers. Photo: AFP
TechPolicy

China’s industry ministry gives itself more power over data transfers in updated rules

  • Regulation makes MIIT another powerful player alongside the Cyberspace Administration of China in the governance of cross-border data flows
  • Under new rule, data owners must get MIIT approval for transfer of China data to overseas industry, telecoms and radio law enforcement agencies
Cybersecurity
Coco Feng
Coco Fengin Beijing
Why you can trust SCMP

China’s Ministry of Industry and Information Technology (MIIT) has published an updated draft data regulation with stricter requirements for the management and transfer of data, which gives it a clear say in reviewing cross-border data transfers.

The new regulatory draft, published on Thursday, states that data processors must not “provide industrial, telecoms or radio law enforcement agencies abroad with data stored in China without MIIT approval”, a tightening from the previous version issued in September 2021.

If the regulation - currently open to public feedback until February 21 -becomes effective, it will make the industry ministry another powerful player alongside the Cyberspace Administration of China (CAC) in the governance of China’s cross-border data flows. It will also likely increase the complexity and costs of data compliance for industrial and technology firms operating in the country.

China tech bosses declare support for Beijing’s policy

The new regulation also requires data owners to report within three months a 30 per cent or bigger change of “important or core data” in terms of size or content. This data includes that which may have an impact on China’s politics, territory, military, economy, technology, internet, ecology, resources and nuclear security, according to the MIIT draft.

Other updates to the draft include a requirement that a company name a legal representative as the “primary person held accountable for data security”, ensuring the person in charge of data security within an organisation will shoulder “direct responsibility”.

Over the past two years, China has been strengthening its legislation and regulation pertaining to data. The sweeping Personal Information Protection Law, one of the world’s toughest on personal data security, went into effect last November. The CAC has also issued regulations on data security, asking companies that handle user data for more than a million people to undergo a review if they want to list abroad.

The CAC also published in October a draft regulation related to security reviews of data leaving the country, giving itself the power to examine and approve cross-border transmission of “important” or personal data.

1