This move is being seen in the tech community as a positive step toward addressing issues that have plagued foreign businesses in China in recent years.
China is finally taking steps to ease its stringent regulations on cross-border data transfers in an effort to boost confidence among businesses and attract foreign investment. The Cyberspace Administration of China (CAC) has recently unveiled a draft proposal aimed at simplifying the process of transferring data abroad for various everyday business activities.
The existing rules have been much criticised for their lack of clarity, leaving many businesses uncertain about what exactly constitutes “critical data” that requires security assessments. This lack of clarity has been a major obstacle for companies operating in China.
The proposed changes now aim to provide a clearer definition of what data requires security assessments. Under the new rules, only data explicitly designated as important by government agencies would be subject to review. This is expected to streamline the data transfer process for most businesses.
What do the new regulations entail?
One of the key features of the regulation is the exemption of most everyday business operations from security oversight. These activities include data generated through international trade, academic cooperation, cross-border manufacturing, and marketing, provided they do not contain any personal information or critical data.
Furthermore, any personal information required for cross-border purchases, hotel and plane reservations, and employment purposes can be sent abroad without the need for security reviews. This is likely to relieve the burden of compliance on foreign retailers, banks, travel agencies, and HR departments operating in China.
The proposed regulation has also set different thresholds for security assessments based on the volume of personal data being transferred. For data exports involving less than 10,000 Chinese individuals in a single year, there would be no need for a security assessment or personal data protection review. For data exports involving up to 1 million Chinese individuals, a security assessment can be waived if a standard export contract is used or special certification is obtained. Only data exports involving more than 1 million individuals would require a mandatory security review.
How much effect will they actually have?
This move is being seen in the tech community as a positive step toward addressing issues that have plagued foreign businesses in China in recent years. Compliance costs have increased sharply, and ambiguity regarding data transfer rules has forced some foreign firms to exit the Chinese market. The proposed regulation aims to offer some more clarity on data transfer rules, stabilising the environment for businesses.
However, China’s focus on data security still remains its top priority, and certain exemptions are intended to strike a balance between data security and promoting business. While the proposed rules have been praised overall by firms, the real impact on foreign investment and operations in China will only become clearer after full implementation.
This proposal is in line with China’s renewed efforts to seem more welcoming to foreign investors and businesses. While many roadblocks still remain, such as a newly expanded anti-espionage law and stricter domestic security measures, this relaxation of data regulations is still a much-needed step – especially as the more traditional sectors of the Chinese economy seem to be wobbling.