China to implement strict new cross-border data transfer rules

China will implement from September its strict new cross-border data transfer regulation, which is expected to complicate and significantly raise compliance costs for the operations of many international businesses in the country.

The finalised regulation, published by internet watchdog the Cyberspace Administration of China (CAC) on Thursday, will require “important” and massive data transfers from China to destinations outside its borders to be subject to security review. The CAC has the discretion to conduct a review indefinitely.

A security review is mandatory for a firm that handles the personal information of more than 1 million Chinese residents. Approval given to a data exporter is valid for two years, and it must apply for another review 60 working days before an approval comes to an end.

The new regulation, however, does not specify whether data flows between the mainland and Hong Kong will also be covered by that same scrutiny. In practice, Hong Kong and Macau – which are governed under the one country, two systems principle – are often regarded as outside China’s borders.

The internet watchdog’s green light is required if a data transfer is carried out by “critical information infrastructure operators”, or any firm that needs to transfer “important” data.

Important data is defined as information “that may endanger national security, economic operation, social stability, public health and safety once it is tampered with, damaged, leaked or illegally obtained or illegally used”, according to the new regulation. That sweeping definition may cover data related to finance, healthcare and even consumer spending.

A security review is also needed for any entity which has handled “sensitive” personal data of more than 10,000 people since the start of the previous year, as well as those that have handled personal information of more than 100,000 Chinese citizens. This would generally cover any large or mid-sized foreign company in China that needs to export Chinese clients’ data to their overseas head office for analysis or review.

The regulation defines sensitive data as information that – once leaked or illegally used – could harm the dignity of natural persons, or put themselves or their property at risk. These include biometrics, religious beliefs, medical health and personal data of children.

The CAC said in a statement on Thursday that the regulation comes at a time when the “digital economy is prospering and cross-border data activities are growing”. Apart from regulating data export activities, the new rules aim to “protect the rights and interests of personal information, and safeguard national security and social public interests”.

With a new law and a formidable regulator, international businesses will have to find ways to comply to keep doing business on the mainland.

“What we are seeing is an acceleration in China’s ongoing efforts to settle on a coherent, workable system to oversee and facilitate necessary cross-border data transfers that companies can work with,” said Nathaniel Rushforth, a senior associate at law firm Holman Fenwick Willan in Shanghai, who specialises in cross-border data compliance issues.

“The initial impact is likely to include some unavoidable increases in compliance cost,” Rushforth said. He indicated that “what naturally comes along with ongoing clarification of requirements is a flurry of work on meeting them”.

China has already tightened its cybersecurity rules since last year.

The country’s Data Security Law was rolled out in September, while the Personal Information Protection Law took effect in November. Both laws impose tough penalties for the unauthorised collection, processing, storage and use of data generated in the country.

China’s processing of initial public offerings in foreign capital markets require an additional layer of oversight, according to the Cybersecurity Review Measures, a regulation jointly signed off by 13 Chinese ministerial bodies, which commenced in February this year. Technology platform companies that possess the personal data of at least 1 million users must apply for a review by the Cybersecurity Review Office, a unit inside the CAC.

“We will probably see an uptick in audits, assessments or enforcement actions under these [new] rules, as they become effective against larger companies, including multinational corporations,” said Rushforth from law firm Holman Fenwick Willan. South China Morning Post