China proposes relaxation of security reviews for most cross-border data flows, bringing relief for multinationals
- New proposal is aimed at ‘regulating and promoting legal, orderly and free flow of data’ and will bring relief for MNCs which had faced uncertainty
- Vast bulk of business and personal activity involving sending Chinese data abroad will no longer go through a security assessment by CAC
China’s cyberspace regulator, which imposed tough cross-border data security requirements a year ago creating uncertainties for multinationals, made a concession on Thursday by waiving security assessments for the bulk of day-to-day business activities involving these data flows.
According to the latest proposed regulation on cross-border data flows published by the Cyberspace Administration of China (CAC), the vast bulk of business and personal activity involving sending Chinese data abroad will no longer go through a security assessment by the cyberspace regulator, a move that is set to make life easier for multinationals with China operations.
According to the new proposal, on which public feedback is being solicited until October 15, exports of data generated by “trade, academic, cross-border manufacturing and marketing activities” will no longer be subject to a regulatory security assessment or personal information protection review. The new proposal is aimed at “regulating and promoting legal, orderly and free flow of data”.
Personal data filed in cross-border shopping, remittances, air ticket purchases, hotel bookings and visa processing can be exported without the need for a security assessment, making it easier for foreign retailers, banks and travel agencies to handle Chinese customer activity, while personal information relating to labour contracts can also be exported freely, making it easier for regional human resource departments to manage China-based staff.
Cyber dangers threaten China’s infrastructure, state security chief warns
Also, personal data exports pertaining to health and security will also be exempt from security checks and reviews, a clause that is set to help foreign insurance companies and healthcare institutions serve China-based clients, according to the regulation.
The proposed regulation comes at a time when Beijing is trying to turn a friendly face towards foreign investors and after China’s tough data security requirements threatened to deter foreign businesses from investing in the world’s second-largest economy.
Angela Zhang, an associate professor of law at the University of Hong Kong, said the proposed guidelines “offer important clarity on the existing cross-border data transfer rules” and show that the Chinese government “is responsive to complaints from the business community, assuaging their concerns about the country’s tighter regulatory environment”.
Zhang said China’s data laws in recent years “have not only increased compliance costs but also injected a high degree of uncertainty for businesses … some foreign firms have even chosen to exit the Chinese market due to concerns about compliance”.
For example, China’s Security Assessment Measures on Cross-border Transfers of Data, which came into effect last September, only vaguely defines the term “important data” pertaining to overseas transfers that must undergo a rigorous security assessment process by CAC.
This has placed a heavy burden on businesses and individuals in terms of defining what data is important.
The new proposed regulation makes it clear that all data sent from China will not be regarded as “important” unless there is explicit labelling of it as such by Chinese regulators or local authorities.
Furthermore, for data exports involving fewer than 10,000 Chinese individuals within a year, such data can be exported without the need to file for a security assessment or personal information protection review.
For data exports involving up to 1 million Chinese persons, the exports must use a standard export contract and register with the provincial cyberspace administration, but a security assessment can be waived. Only for those data exports involving over 1 million Chinese persons will a security assessment be mandatory, according to the proposed regulation.
At the same time, China’s government-designated free trade zones, which cover China’s major coastal cities, have the autonomy to draft their own “negative lists” for data export security review, and data exports outside the negative lists can go ahead without the need to inform the CAC, according to the new regulation.
