China’s cross-border data transfer rules to take effect in September
China’s top cyberspace regulator announced on Thursday that a set of regulations on security assessment of cross-border data transfers would begin to be implemented in September.
The Measures on Security Assessment of Cross-Border Data Transfer, released by the Cyberspace Administration of China(CAC), stipulates the circumstances under which domestic companies should report to government departments for a data security review before they are allowed to transfer any data out of China.
As defined by the “Measures,” cross-border data transfer includes transferring data collected and generated in China to overseas, as well as providing overseas organizations or individuals with access rights to data stored or generated in China.
According to the regulations, the security review for the cross-border data transfer is required in the following three situations:
(1) Send critical data outside China.
(2) Transfer of data generated by operators of critical information infrastructure and transfer of personal information by a data processor that processes personal information of one million or more individuals.
(3) From January 1, 2021, data processors who transfer the personal information of 100,000 people or the sensitive personal information of 10,000 people should also undergo a security review.
(4) Other situations specified by China’s cyberspace watchdog that need data export security review declaration.
The Measures also require data processors to conduct a self-assessment for cross-border data transfers. They should consider factors such as legality, legitimacy and necessity of transfer, as well as the risks such data transfer might bring about.
Data security has been a major issue in China in recent years. The government has enacted a slew of laws to safeguard personal information. In 2017, Beijing implemented the Cybersecurity Law, followed by the Data Security Law and the Personal Information Protection Law in 2021.
The forthcoming “Measures” are based on the three data laws and demonstrate the state’s latest efforts to strengthen data security and prevent potential risks.
Data has become a national resource as digitalization spreads throughout the globe. “In today’s world, every country should build a proper management system for data export,” Zuo Xiaodong, said, adding that “if a government does not safeguard the security of cross-border data transfer, it will be very dangerous.” Zuo is a professor at the School of Public Affairs and the School of Cyberspace Security at the University of Science and Technology of China.
China’s security management system for cross-border data transfer is in line with international standards, especially the European Union, according to the professor. “The Measures largely make up for national security loopholes and improve the security of data transfer,” he said.
Cover image by Towfiqu barbhuiya on Unsplash