While China tightens controls on data flow and information sales, businesses across the country are struggling to export data that has grown critical for beating a slowing economy.
China introduced a new data security regime in September 2021, including safeguarding “important data” and “core data” involving national and economic security, people’s welfare, and matters of critical public interest.
In the second half of 2022, China introduced new guidelines requiring case-by-case clearance for moving and exporting data, which also posed added restrictions on the use of data by businesses.
But industry insiders say China has been sluggish in approving data export applications since new data security laws were enacted, which is troubling for companies trying to move data offshore in the wake of economic challenges in the world’s second-largest economy.
“Given the slowing economy, the free flow of data plays a pivotal role in the operations of businesses, particularly multinational corporations, on a global scale. Concurrently, the associated risks inherent in data flow are a significant consideration nowadays,” said Nick Beckett, managing partner of Beijing and Hong Kong-based law firm CMS.
“The implementation [of data compliance] requirements pose challenges for enterprises, especially smaller ones with limited compliance budgets. In addition, the vague scope of ‘important data’ may also put companies in uncertainty for their data processing in business operations,” Mr. Beckett told The Epoch Times.
According to a recent Financial Times report, roughly 25 percent of data export applications have been approved since the new data security standards were implemented.
Thousands of requests from both domestic and foreign companies to share sensitive information with their international partners—including customers’ credit histories and online purchase records—have not been approved by the Cybersecurity Administration of China (CAC), the country’s primary internet regulator.
While the regulator is required by law to finish a data security evaluation within 57 business days of receiving an application, the report said that most companies wind up waiting for a response for months.
Consequently, businesses are struggling, according to Mr. Beckett.
Little Wiggle Room
Contrary to this perception, however, the regulations have set relatively low thresholds for security assessments. For example, a security assessment becomes mandatory if a company exports 100,000 or more individuals’ personal information cumulatively over two consecutive years.Considering China’s population size, adds Mr. Beckett, a threshold of 100,000 is relatively low.
Additionally, the regulations also impose relatively stringent requirements for standard contracts and certifications. For example, for transferring personal information through signing standard contracts, the requirement differs from the General Data Protection Regulation (known as GDPR and generally considered as a benchmark) standard contract requirements where signing the contract is sufficient.
In China, after signing the standard contract, companies are required to file the signed contract with regulatory authorities and submit an impact assessment report, disclosing and evaluating specific details regarding the export of personal information.
“This increases the compliance burden on businesses, requiring them to invest time and effort in organizing relevant information and drafting reports,” Mr. Beckett said.
Regulation’s Nuances
“China’s Data Security Law and the Personal Information Protection Law, manage respectively data and personal information. Here, data specifically refers to data that is non-personal in nature,” Mr. Beckett said.These laws went into force in September and November of 2021, respectively. Certain provisions related to data security, including personal information security, were referenced in the Cybersecurity Law prior to its enactment.
However, businesses are required to undergo security assessments under a combination of three statutes—namely the Cybersecurity Law, Data Security Law, and Personal Information Protection Law—for cross-border sharing of data.
Data here refer to transfers of important data, personal information meeting specific quantity criteria, and personal information and important data collected and generated within China by critical information infrastructure operators, such as Energy, Transport, Water, and Finance, to name a few.
Businesses are required to conduct a full examination of all their data exports throughout the execution of security assessments, standard contracts, and certifications.
Non-compliance issues discovered throughout the assessment process also need corrective actions, such as resolving circumstances in which a specific agreement for personal information export was not acquired.
Businesses are also required to draft impact assessment reports based on assessment results and process details. To achieve these regulatory obligations, businesses often need to dedicate human resources or pay fees to employ third-party services, introducing additional costs that jeopardize business budgets, according to Mr. Beckett.
“[Consequently] the associated risks inherent in data flow are a significant consideration nowadays,” he said.
For example, if a multinational corporation’s relevant business data, including personal information, requires processing or storage on servers in different countries or processing systems, and if analysis or anonymization of such data is performed locally before aggregation, the full potential of the data may be lost.
Widespread Concerns
In its “European Business in China Position Paper 2023/2024,“ the European Union Chamber of Commerce in China expressed concern about the ambiguity of the definition of ”important data” in China’s data. It noted that the personal information protection legislation creates difficulties for foreign companies in the country.The paper also requested strengthening China’s regulatory environment’s predictability and reliability by ensuring laws and regulations are detailed and well-defined, allowing enterprises to undertake independent audits to be certified in compliance with global legislation.
Nevertheless, in a bid to improve the economic environment, China’s cybersecurity authorities are considering relaxing some regulations for multinational corporations and international firms.
On Sept. 28, 2023, Beijing issued a draft regulation, the Draft Provisions on Regulating and Promoting Cross-border Data Transfers, which potentially loosens certain requirements for the cross-border transfer of data.
It clarifies that any data not publicly identified or announced by the sector regulator as important data can be exported without a security assessment.
It also increases the threshold for personal information exporters subject to security assessments—only leaving those exporting more than 1 million individuals’ personal information within one year subject to the security assessment requirement.
Additionally, it exempts the requirements for a security assessment, standard contract, or certification for personal information transfer in certain circumstances.
“However, this draft regulation is still in draft form, and many companies are awaiting its finalization and effectiveness,” concluded Mr. Beckett.
