China makes it even harder for data to leave its shores

Starting in June, companies operating in China must undergo a regulatory intervention when sending data abroad, thanks to the Cyberspace Administration of China (CAC).

The CAC announced on Friday businesses that handle the personal information of up to 1 million people, or want to send user information of up to 100,000 individuals abroad, will need to sign a standard contract before doing so and file it with a local CAC office within 10 working days of it taking effect.

Within the contract, the firms must conduct assessments on the risk of data being tampered with or misused and file a declaration of the assessment with local government administration. Other requirements of the contract include divulging scale, scope, type and sensitivity of the information and how it’s managed overseas.

To use these contracts, those sending the information must also be non-critical information infrastructure operators and the company must have sent personal data overseas of less than 10,000 people since January 1 of the previous year.

The standard contract will apply to most cross-border transactions that occur from China.

But companies that do not qualify will have to rely on a different process – either engaging a designated agent for certification or passing the CAC’s stricter security assessment. Certification is for related entities while security assessment will be taken up by banks, mobile operators or those that process data of more than 1 million Chinese individuals.

Just in case a company thought it was being clever, the CAC warned businesses not to split up data into batches to qualify for the standard contract instead of the certification or security assessment.

The CAC said that if it found a greater data security risk, it could “conduct interviews with the personal information handlers in accordance with law.” The regulator also reserved the right to change the rules. Businesses that don’t comply must fix their processes within six months or face penalties.

The policies are part of China’s Personal Information Protection Law (PIPL) which first came into effect in November 2021.

Critics have said the new standard contract requirements are costly, but according to the CAC, they “protect the rights and interests of personal information and regulate activities of exporting personal information abroad.”

Many foreign entities have already found Chinese regulations tough enough to throw in the towel and leave.

Yahoo ditched Chinese operations as the PIPL came into effect, citing “the increasingly challenging business and legal environment in China.”

LinkedIn left a month prior, citing similar reasons. ®

READ MORE HERE