China’s top internet regulator is mulling a more specific security review on data going abroad, including companies that process data with more than 1 million users should report to the regulator before sending user-related data abroad, ramping up efforts on preventing data security risks.
The Cyberspace Administration of China said in the draft guidelines that the security review requirement would also cover firms with personal information and important data collected and generated by operators of critical information infrastructure, as well as data sent abroad contains important information.
Companies that provide personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad would also be bound by the requirement, it said.
“The proposal is a concrete implementation on data going abroad among three pillar-like acts in China. It is not only for data security, or cybersecurity, but also an indispensable step to ensure the safe development of cross-border business,” Zuo Xiaodong, vice president of the China Information Security Research Institute, told the Global Times on Friday.
China, boasting of one of the most developed digital economies in the world, has been accelerating its push to build its data regulation. In August, China passed its Personal Information Protection Law. The new legislation is set to be implemented on November 1.
Together with the Cyber Security Law, which came into effect on June 1, 2017 and Data Security Law, which was implemented on September 1, the three laws create a comprehensive legal framework on information protection of Chinese people, corporate data compliance practices and China’s digital economy and the world.
In the one million person benchmark, Zou said it reflects the challenges that the complexity and diversity of network operators and data processors have brought to legislative work under the widespread application of information technology.
If this threshold is set too low, it will bring a high cost to enterprises and government work, but sometimes tens of thousands of personal information has reached the ceiling handled by an enterprise with a huge impact, especially in the smart car industry, he added.
Different cities and industries also take such moves. In November, the Shanghai government released a draft version on data rules, following Shenzhen’s move. Shanghai regulates the application of face recognition technology, and Shenzhen’s lawmakers reviewed regulations in areas like artificial intelligence.
The continuous measures taken on cybersecurity reviews come after seven departments required Chinese ride-hailing giant Didi Chuxing to undergo a cybersecurity review in July, right after its massive US IPO in July.
Last month, China’s industry ministry drew up draft rules aimed at strengthening its new data security law, including defining “core” and “important” data for which cross-border transfers must receive approval.
The State Administration for Market Regulation said on Friday that super-large online platform operators should establish and improve data security reviews and internal control mechanisms. Data development activities involving the processing of users’ personal information and cross-border data flow must be carried out in strict accordance with laws and regulations to ensure data security.
The threshold of a million users, as clarified by the new rules, means almost all platforms operating in China which aspire to sell shares abroad need to go through a cybersecurity review, Liu Dingding, a Beijing-based internet sector analyst, told the Global Times.
The Chinese regulator is patching up regulation shortcomings as companies make a leap forward on data proceedings, Lu Chuanying, director of the Research Center for International Cyberspace Governance under the Shanghai Institute for International Studies, told the Global Times on Friday. “Enhancing overseas-bound data rules is in line with global practices,” he said.
However, he said making the best practice is a challenge because while China’s framework is principled, it is different from other developed countries such as the European Union, which has strict law enforcement.
The validity period of a successful security review is two years, but according to the draft rules, “the changes in the legal environment of the country or region where the overseas recipient is located” may prompt a re-review.