China will start to implement a set of regulations on security assessment of cross-border data transfers in September, the country's top cyberspace regulator announced on Thursday, as the country beefs up efforts to establish a data security protective screen against potential risks.
The Cyberspace Administration of China (CAC) announced the Measures on Security Assessment of Cross-Border Data Transfer, whose draft version was already revealed to the public last November. The Measures stipulate the circumstances under which domestic companies should report to government departments for a data security assessment before they are allowed to transfer any data out of China.
Such circumstances include transfer of data generated by operators of critical information infrastructure, or transfer of personal information by a data processor that processes personal information of one million or more individuals.
Data processors that transfer personal information of 100,000 individuals, or sensitive personal information of 10,000 people since January 1, 2021, should also undergo the security review before transferring personal data abroad. The draft version did not mention the backdated requirement.
The Measures also require data processors to conduct a self-assessment for cross-border data transfers. They should consider factors such as legality, legitimacy and necessity of transfer, as well as the risks such data transfer might bring about.
The significance of the Measures' rollout is that it helps establish a work mechanism that clarifies the working procedures of data transfer safety assessment, which often bothered local cyber information officials in the past, Zuo Xiaodong, vice president of the China Information Security Research Institute, told the Global Times on Thursday.
The Measures are rolled out as China becomes more stringent on data security as the rapid development of the internet economy is also posing data security risks. A number of Chinese internet giants faced regulatory scrutiny for data security violations over the past year or so.
In July 2021, China's cyberspace regulator ordered app stores to remove ride-hailing giant Didi Chuxing over violations of regulations regarding collection and use of personal information, shortly after its debut on the New York Stock Exchange. Didi Chuxing delisted from the New York Stock Exchange in May.
Experts said that the rollout of the Measures would provide a clear legal framework for companies to follow, which will benefit a wide range of internet companies that wish to list overseas.
The threshold, as clarified by the new rules, means almost all internet platforms operating in China that aspire to sell shares abroad need to go through a cyber security review, Liu Dingding, a Beijing-based internet industry veteran analyst, told the Global Times on Thursday.
"But the measures will be great news for internet firms that would like to go abroad. Since there are now clear requirements and procedures, firms will be quite reassured, and better understand what can be done and what can't be done," Liu said.
Liu pointed out that the new rules are not aimed at preventing data from going abroad, but to tell firms how to "regulate and repair" their data so it can be exported based on the national law.
Experts also noted the regulation is important as data has become a national resource and countries around the world are also increasing their emphasis on data protection.
"In the digital economy era, all trade is backed by data, especially cross-border trade. Therefore, in this case, the cross-border data flow policy is the national strategy," Zuo said.
Tu Lei contributed to the story