Advertisement
Cybersecurity
TechPolicy

China’s new cross-border data transfer law takes effect, saddling firms with increased paperwork, compliance costs, scrutiny

  • The Cyberspace Administration of China requires firms to submit a self-assessment report, which includes the recipient of the data to be transferred
  • Once documentation is completed, the internet regulator will conduct a security review that could take up to 45 working days

Reading Time:3 minutes
Why you can trust SCMP
2
The new regulation’s requirement to submit potentially sensitive information, such as where the recipient will store the data to be transferred, could be of concern to affected companies. Photo: Shutterstock
Xinmei Shen
China’s strict new cross-border data transfer regulation, which took effect on September 1, requires all affected companies to fill in and submit a slew of paperwork to the country’s internet watchdog for review, steps that may further complicate and raise compliance costs for many international businesses in the world’s second-largest economy.
Documents required by the Cyberspace Administration of China (CAC) include a self-assessment report that provides detailed information about the company seeking to export data, the recipient overseas and how they will handle the data, according to the guidelines published by the agency on Wednesday, the day before the regulation came into force.

That process covers firms with more than a million Chinese citizens as users, those seeking to export “important data”, those handling the personal information of more than 100,000 Chinese individuals, and those with the “sensitive” personal data of more than 10,000 people since the beginning of the previous year.

Such entities need to state in their application form, for example, the name of the data centre that will handle the information to be transferred, as well as the physical location and internet protocol addresses of the relevant server rooms in such a facility, according to the CAC.

The Cyberspace Administration of China requires companies that seek to export their mainland data to provide relevant information about the data centre overseas tasked to handle such transfer. Photo: Shutterstock
The Cyberspace Administration of China requires companies that seek to export their mainland data to provide relevant information about the data centre overseas tasked to handle such transfer. Photo: Shutterstock
Data centres are secure, temperature-controlled facilities built to house large-capacity servers and data storage systems, which are backed by multiple power sources and linked to high-bandwidth internet connections. These sites are largely used to host cloud computing operations.
While companies that have been tracking developments about this matter “will be pleased to see consistency” between the guidelines and previously released data regulations, the latest directive brings up more unanswered questions, according to Alex Roberts, counsel for technology, media and telecommunications at law firm Linklaters in Shanghai.
Advertisement