This article is more than 1 year old

Law prof: New Chinese data regulations make it 'very hard for foreign firms to comply'

Fines for sending 'core' and 'important' info overseas, although what qualifies remains undefined

China's Standing Committee of the National People's Congress has passed a new data security law requiring companies to seek approval before transferring what it refers to as "core" data overseas.

Rule-breakers can end up paying up to ¥10m ($1.56m, £1.1m) in fines or possibly face closure.

Data under a lesser qualification of "important" that is handed to overseas law enforcement agencies without Beijing's approval will receive up to ¥5m ($781,000) and a possible business suspension, up from a previous ¥1m ($156,000) that was stated in the draft of the law.

The new law also punishes companies that suffer large data leaks with a fine of up to ¥2m ($312,000).

The law is scheduled to come into effect on 1 September, leaving 2.5 months for companies and governments to plan accordingly. Major data security decisions will be made by a central national security agency.

Qualifications for "core" and "important" data were left undefined, but the law did call for the development of a classification system.

Singapore Management University law professor Henry Gao, who specialises in China, trade and the WTO, tweeted that there seems to be a lot of overlap between "core" and "important", but settled on this definition for core:

Gao told The Register via email that there are two possible reasons the law left the key terms unclear: a rushed timeline where the drafters had not yet settled on definitions and/or to give the government wide discretion over their use. He reckons it's a combination of both. Vague wording has long been a tradition in Chinese law.

Gao added:

It would be very hard for foreign firms to comply, as now they have to tread in a field filled with potential landmines. To be cautious, they might want to segment their Chinese operations from the rest of the world or transact with Chinese entities through third parties rather than directly.

One interesting thing to watch will be how China's new data law interacts with the United States' 2018 CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which allows law enforcement agencies to access stored data from US-based technology companies no matter where that data resides in the world. ®


Similar topics


Send us news

Other stories you might like