Driving commercial and political engagement between Asia, the Middle East and Europe
Driving commercial and political engagement between Asia, the Middle East and Europe
Following the release of new draft regulations on data transfer by the Cyberspace Administration of China, Zhouchen Mao, Head of Research and Advisor, takes stock of the new rules and implications.
A new set of draft rules released by the Cyberspace Administration of China (CAC) will, when implemented, considerably ease the restrictions on cross-border flow of data for foreign companies and multinationals. However, some ambiguity remains and will continue to pose uncertainty for businesses.
The recent introduction of draft rules on the cross-border transfer of data suggests China intends to support the private sector on this key issue. The rules follow the call in August from the State Council to establish green lanes to allow qualified companies to export data. Furthermore, the State Council also recommended piloting a list of data that would be permitted to be freely transferred between major cities, including Beijing and Shanghai. These latest shifts in data regulation implies that pro-business voices in government could be gaining traction in this crucial sector, where data security regulations have hindered operations for both domestic and foreign businesses.
Current data landscape
To operate efficiently, multinational corporations (MNCs) in China need to able to transfer data freely. While all sectors of the economy rely on the cross-border flow of data, the tech sector is particularly sensitive to restrictions on data transfer due to the vast databases of personal information. Given China’s increased security push in recent years, several data regulations have been introduced, creating considerable compliance burdens for organisations and MNCs that seek to transfer data abroad. In particular, the Cybersecurity Law that came into effect in 2017 requires critical information infrastructure operators (CIIO) who gather “personal and important data” to carry out security assessments prior to data transfer out of China.
The scope was further expanded in September 2021 to include data handlers with important data and personal data which greatly increased the number of entities affected. MNCs also faced uncertainties due to ambiguous provisions, such as what classified as “important data” and who was a CIIO, leaving the definitions largely up to interpretation by the regulators. In the first half of this year, the Cyberspace Administration of China (CAC) dismissed many outbound transfer requests as non-essential. Such decisions have led MNCs to consider increasing data isolation for their Chinese operations.
The new draft regulations
The new draft regulations contain 11 proposals to ease cross-border data flows. If implemented, the proposed changes would mitigate compliance risks and operational burdens required to store much of the data within the country. Furthermore, these rules would simplify the security assessment process that often results in protracted administrative red tape.
The most pivotal of the 11 proposed changes include:
In introducing these new draft regulations, China has shown both a degree of responsiveness to the concerns of MNCs and a commitment to implementing its rhetoric on bolstering the confidence of the private sector.
The relaxation of data rules, if implemented, will significantly lower regulatory risks. But the proposed regulations will not eliminate such risks entirely, because the ambiguity around what constitutes “important data” remains unresolved since regulators can still draw redlines and trigger security assessments on companies it considers possessing “important data”. Additionally, for Chinese companies listed on US stock exchanges, it remains unclear whether compliance with US government audit requirements would also trigger a security assessment.
While the draft rules are a positive signal that authorities are heeding some concerns of multinationals, it is still too early to conclude if the latest reform is part of a wider drive to prioritise growth that could reinvigorate the economy and set the country on a more sustainable economic path.