China plans to impose the world's strictest digital privacy rights rules against large corporations like Facebook and Google by requiring them to obtain users' permission before sending any data on them outside the country.
The draft rules were put out for public comment on Tuesday and would oblige any company that transfers more than one terabyte of data or data on more than 500,000 users to go through an annual security assessment.
The law would also prevent the transmission of any economic, scientific or technological data outside the country if the Chinese government decides it poses a threat to security or public interest.
The rules apply to any "network operator" – a phrase that is expected to encompass social media companies and search engines as well as other companies that make extensive use of the internet, from tech companies to banks.
Before any personally identifiable information – such as email addresses, phone numbers, birthdays etc – is allowed out of China, companies would be obliged to get permission from users, as well as from the government.
The Cyberspace Administration of China (CAC) claimed the rules were needed to "secure personal information and the safety of important data, as well as to protect internet sovereignty and national security."
The same but different
The idea of putting restrictions on the export of user data and passing laws to encourage that data be stored locally by multinational corporations is not new – much of Europe and countries like Brazil have considered similar measures.
But China's long history of censoring the internet, placing the entire country behind a firewall, placing restrictions on foreign companies, and undertaking widespread surveillance of internet communication – as well as the intimidation and prosecution of anyone who is deemed to be a threat to the state – means that the measures are ominous rather than purely protective.
It is also uncertain what an "annual security audit" would entail, although it is a fair bet it would result in the installation of a parallel pipe of data to the authorities. And of course, with the stroke of a pen, the Chinese government could decide that a company's data was a threat to its sovereignty or posed a risk to the public interest, giving it an enormous degree of leverage over companies operating inside China.
The rules are just the latest in a series of recent clampdowns on the internet inside China and textbook protectionism by the Asian superpower. In May last year, the US government warned that a new requirement to require all Chinese domain names to be registered through Chinese government-licensed providers risked fragmenting the internet.
And just last month the Chinese government put out its "International Strategy of Cooperation on Cyberspace," which includes rules it wants to see applied across the internet. The country has been taking a much better role in internet governance in recent years, and has rallied various countries to its cause.
That is not to say the public consultation is a farce: the Chinese government has in the past watered down some of its more authoritarian instincts when it comes to internet rules. But regardless of the inevitable responses from international corporations arguing against the imposition of data restrictions and security audits, what does result is still going to be far more restrictive than any companies would want.
As ever, they will have to do the math on whether the cost of doing business in China is worth the revenues that result. ®