China’s cyberspace regulator sets out guidelines for exporting sensitive data
Dina Temple-Raston October 29, 2021

China’s cyberspace regulator sets out guidelines for exporting sensitive data

China’s cyberspace regulator sets out guidelines for exporting sensitive data

China’s internet watchdog, the Cyberspace Administration of China (CAC), released a new set of rules on Friday that will require companies with more than 1 million Chinese users to subject themselves to a security review before they can transfer any Chinese data abroad. 

The new rules affect all data leaving China and could impact not just Chinese companies with overseas listings, but the day-to-day operations of foreign companies operating in China.

Under current Chinese law, companies are supposed to undergo a data security assessment before sending Chinese data overseas, but because details of that assessment have been so murky, the regulations have been toothless.

The “Measures for Data Export Security Assessments” draft released on Friday is a bid to change all that by standardizing procedures. Among other things, the CAC announced that it would now be the agency responsible for the security reviews. 

Reviews will be required for companies exporting “critical infrastructure” data, and any company that has already sent abroad, or intends to send abroad, the personal information of more 100,000 users or “sensitive” personal information belonging to 10,000 users, will also need to go through the security assessment, the CAC said.

The draft regulations even detail which documents companies will need to submit for review and said that as a general matter the CAC would take 45 days to do their assessments. More “complicated cases” could require up to 60 days, it said. A CAC certification, once approved, will be valid for two years unless there are “changes in the legal environment of the country or region” where the data is being sent, it said. 

The new draft rules build on a roster of recent regulations the CAC has proposed to safeguard Chinese data. In September, China’s ministry of industry published draft rules that included definitions of what it considered “core” and “important” data that needed approval before leaving the country. 

The latest proposed measures are open to public review until Nov. 28, after which they are likely to be adopted in their entirety.

Dina Temple-Raston is a senior correspondent at The Record, and previously served on NPR's Investigations team focusing on breaking news stories about national security, technology, and social justice.