China's cyberspace regulator details data export requirements
The countdown to compliance began in January – last year
China's cyberspace regulator has announced that data exports from the country will require security reviews, beginning September 1.
The Cyberspace Administration of China's (CAC) policy was first floated in October 2021 and requires businesses that transfer data offshore to conduct a security review. The requirements kick in when an organization transfers data describing more than 100,000 individuals, or information about critical infrastructure – including that related to communications, finance and transportation. Sensitive data such as fingerprints also trigger the requirement, at a threshold of 10,000 sets of prints.
A Thursday announcement added a detail to the policy: the cutoff date after which the CAC will start counting towards the 100,000 and 10,000 thresholds. Oddly, that date is January 1 … of 2021.
A state official explained in Chinese state-owned media on Thursday that the efforts were necessary due to the digital economy expanding cross-border data activities, and that differences in international legal systems have increased data export security risks, thereby affecting national security and social interest.
The official detailed that the security review should occur prior to signing a contract that includes exporting data overseas. Any approved data export will be valid for two years, at which point the entity must apply again.
- Beijing explains what China's new data protection law really means – a month after it took effect
- China says it applied to join digital free trade deal days after proposing law against cross-border data flow
- Citing cross-border data transfer and privacy concerns, China promises security blitz on securities
- Law prof: New Chinese data regulations make it 'very hard for foreign firms to comply'
Domestic operators have long felt Beijing's lash for handling data badly. China's Uber analog, Didi, was booted from local app stores last year after it was accused of not complying with data protection laws.
A month prior, the CAC ordered 105 apps – including LinkedIn, Bing, and the Chinese version of TikTok called Douyin – to stop improperly collecting and using people's personal data.
But while Beijing has demonstrated that it would like to keep as much control over its data as possible, Xi Jinping announced in November that he wants in on free digital trade partnerships with other countries.
China's interest in personal data also extends offshore. It recently emerged that ByteDance, owner of TikTok, can view some data describing US-based users despite past assurances that's not possible. And earlier this week the leaders of MI5 and the FBI painted Beijing as entirely unafraid to steal data – to obtain influence, or raw information, or both.
A case of "if you can't join them, beat them" perhaps?®