China set to ease cross-border data transfer restrictions for international businesses

Following the release of new draft regulations on data transfer by the Cyberspace Administration of China, Zhouchen Mao, Head of Research and Advisor, takes stock of the new rules and implications. 

 A new set of draft rules released by the Cyberspace Administration of China (CAC)  will, when implemented, considerably ease the restrictions on cross-border flow of data for foreign companies and multinationals. However, some ambiguity remains and will continue to pose uncertainty for businesses.  

The recent introduction of draft rules on the cross-border transfer of data suggests China intends to support the private sector on this key issue. The rules follow the call in August from the State Council to establish green lanes to allow qualified companies to export data. Furthermore, the State Council also recommended piloting a list of data that would be permitted to be freely transferred between major cities, including Beijing and Shanghai. These latest shifts in data regulation implies that pro-business voices in government could be gaining traction in this crucial sector, where data security regulations have hindered operations for both domestic and foreign businesses.  

Current data landscape 

To operate efficiently, multinational corporations (MNCs) in China need to able to transfer data freely. While all sectors of the economy rely on the cross-border flow of data, the tech sector is particularly sensitive to restrictions on data transfer due to the vast databases of personal information. Given China’s increased security push in recent years, several data regulations have been introduced, creating considerable compliance burdens for organisations and MNCs that seek to transfer data abroad. In particular, the Cybersecurity Law that came into effect in 2017 requires critical information infrastructure operators (CIIO) who gather “personal and important data” to carry out security assessments prior to data transfer out of China.  

The scope was further expanded in September 2021 to include data handlers with important data and personal data which greatly increased the number of entities affected. MNCs also faced uncertainties due to ambiguous provisions, such as what classified as “important data” and who was a CIIO, leaving the definitions largely up to interpretation by the regulators. In the first half of this year, the Cyberspace Administration of China (CAC) dismissed many outbound transfer requests as non-essential. Such decisions have led MNCs to consider increasing data isolation for their Chinese operations.  

The new draft regulations  

The new draft regulations contain 11 proposals to ease cross-border data flows. If implemented, the proposed changes would mitigate compliance risks and operational burdens required to store much of the data within the country. Furthermore, these rules would simplify the security assessment process that often results in protracted administrative red tape.  

The most pivotal of the 11 proposed changes include: 

1. Data associated with international trade, academic cooperation, and marketing would no longer require prior authorisation for cross-border transfer.
2. With regards to the ambiguous term “important data”, an approval for data transfer would become necessary only when authorities have clearly indicated that the data comes under the category. 
3. Businesses transferring certain personal data, such as contractual agreements, would no longer be required to undergo a security assessment by the CAC or obtain personal information certification checks. 
4. The draft regulations ease the thresholds of the volume of data that a company can export before requiring certain approvals. The new rules would state that if a company exports personal information of fewer than 10,000 people within a year, no approval process is required. Businesses expected to transfer personal data for between 10,000 and one million would need to sign a standard agreement with the CAC. Finally, only companies anticipating transferring personal data of more than one million people in a year would be required to undergo a security assessment. 
5. As part of the preparation for the new rules, China’s free trade zones were asked to formulate a “negative list” of certain types of data for which businesses must receive approval from the CAC to export. This implies that any types of data that are not included in the negative list could be freely exported through the zones. 
6. Perhaps the most important change is granting businesses a more decisive role in determining the type of data outflow necessary for its global operations. If data has not been specified as “important”, then it will not be treated as such. Under the previous rules, the CAC decided which outbound data transfers were considered necessary.  

In introducing these new draft regulations, China has shown both a degree of responsiveness to the concerns of MNCs and a commitment to implementing its rhetoric on bolstering the confidence of the private sector. 

The relaxation of data rules, if implemented, will significantly lower regulatory risks. But the proposed regulations will not eliminate such risks entirely, because the ambiguity around what constitutes “important data” remains unresolved since regulators can still draw redlines and trigger security assessments on companies it considers possessing “important data”. Additionally, for Chinese companies listed on US stock exchanges, it remains unclear whether compliance with US government audit requirements would also trigger a security assessment. 

While the draft rules are a positive signal that authorities are heeding some concerns of multinationals, it is still too early to conclude if the latest reform is part of a wider drive to prioritise growth that could reinvigorate the economy and set the country on a more sustainable economic path.