The Cyberspace Administration of China (CAC) on 7 July published the final version of its Outbound Data Transfer Security Assessment Measures (据出境安全评估办法), at last detailing the security review process companies must undergo before transferring certain data types abroad. Companies from September will have to evaluate their own security and apply for an assessment by the CAC if they are, among other things:
- data handlers making important data available abroad
- operators of “critical information infrastructure” (CII) exporting personal
- data handlers managing the personal information of more than a million people and also making this available abroad.
The CAC can also mandate any company to undergo data export security assessment should it deem one necessary.
Foreign companies have been waiting six years for clarification from Chinese authorities about the data security review process. The 2016 Cybersecurity Law (CSL) already mandated security assessments from June 2017 for CII operators seeking to export “personal information” or “important data” gathered in China. But it failed to offer more detail and subsequent draft measures generated more confusion than clarity. The new measures fill important gaps in China’s data regulation and governance puzzle, which includes the CSL, but also the Data Security Law and Personal Information Protection Law of 2021, and the more recent Cybersecurity Review Measures of 2022.
European firms in China so far have taken a conservative approach to compliance, localizing data where possible and relying on local authorities to obtain soft approval for certain kinds of data exports. They should in theory welcome the new regulatory definitions, which include a clear timeframe for decisions by the CAC and the right to appeal against them. But companies in practice will continue to struggle with unspecific terms like “important data” and “providing [data] abroad”. Despite recent attempts at better defining important data categories, China’s emerging data classification is still messy and regulatory outcomes will likely be industry- and even company-specific.
MERICS analysis: “Although clarity regarding China’s cross-border data transfer rules is positive, multinationals must brace for tighter enforcement and stricter compliance and more companies could feel pressured to store data in the country,” says MERICS Analyst Rebecca Arcesati. “The CAC and industry regulators are likely to retain much discretion regarding data categories that trigger localization requirements. Politics will continue to shape the degree of interoperability between China’s digital economy and the rest of the world.”
More on the topic: Beijing’s watchful eye on all data flowing in and out of China – short analysis by Kai von Carnap.
Media coverage and sources: