In this issue of the MERICS China Essentials we cover the following topics:
- Global companies need to look out for China’s new data transfer rules
- China tries to disentangle its foreign relations from Russia at G20 meeting
- Exports, inflation and consumption striking at the core of China’s growth engine
- Crackdown in Zhengzhou after citizens vent anger about no access to deposits
The Cyberspace Administration of China (CAC) on 7 July published the final version of its Outbound Data Transfer Security Assessment Measures (据出境安全评估办法), at last detailing the security review process companies must undergo before transferring certain data types abroad. Companies from September will have to evaluate their own security and apply for an assessment by the CAC if they are, among other things:
- data handlers making important data available abroad
- operators of “critical information infrastructure” (CII) exporting personal
- data handlers managing the personal information of more than a million people and also making this available abroad.
The CAC can also mandate any company to undergo data export security assessment should it deem one necessary.
You are reading a free excerpt from the July 14, 2022 issue of our MERICS China Essentials. Become a subscriber to get access to all contents. Find out more about our subscription packages here.
Foreign companies have been waiting six years for clarification from Chinese authorities about the data security review process. The 2016 Cybersecurity Law (CSL) already mandated security assessments from June 2017 for CII operators seeking to export “personal information” or “important data” gathered in China. But it failed to offer more detail and subsequent draft measures generated more confusion than clarity. The new measures fill important gaps in China’s data regulation and governance puzzle, which includes the CSL, but also the Data Security Law and Personal Information Protection Law of 2021, and the more recent Cybersecurity Review Measures of 2022.
European firms in China so far have taken a conservative approach to compliance, localizing data where possible and relying on local authorities to obtain soft approval for certain kinds of data exports. They should in theory welcome the new regulatory definitions, which include a clear timeframe for decisions by the CAC and the right to appeal against them. But companies in practice will continue to struggle with unspecific terms like “important data” and “providing [data] abroad”. Despite recent attempts at better defining important data categories, China’s emerging data classification is still messy and regulatory outcomes will likely be industry- and even company-specific.
MERICS analysis: “Although clarity regarding China’s cross-border data transfer rules is positive, multinationals must brace for tighter enforcement and stricter compliance and more companies could feel pressured to store data in the country,” says MERICS Analyst Rebecca Arcesati. “The CAC and industry regulators are likely to retain much discretion regarding data categories that trigger localization requirements. Politics will continue to shape the degree of interoperability between China’s digital economy and the rest of the world.”
More on the topic: Beijing’s watchful eye on all data flowing in and out of China – short analysis by Kai von Carnap.
Media coverage and sources:
In an attempt to contain a Covid-19 surge in Macau, all casinos in the gambling mecca will be shut completely for a week – a drastic move last seen more than two years ago in the pandemic’s first months. Macau, Hong Kong and China are facing a difficult summer as Covid-cases rise and citizens’ patience wanes. But with a fast-rising 2,300 locally transmitted cases reported in mainland China last week, Beijing’s pandemic response is changing. As new variants become ever more infectious and harder to contain, the Chinese government is loosening quarantine rules while intensifying regular testing.
(Sources: Reuters, WSJ, Sixthtone)