On October 29, the Cyber Administration of China (CAC), China’s Internet regulator, released a draft regulation on the security assessment for data “leaving the country,” aiming to further tighten controls on the cross-border flow of data.
The draft regulation proposes that data operators should conduct a risk assessment before sending data outside the country. The assessment should include the quantity, scope, type and sensitivity of the data, as well as the risk that the outflow of the data may bring to national security, public interests and the legitimate rights and interests of individuals or organizations.
After the Chinese ride-sharing giant Didi Chuxing went public in the U.S. in late June, the CAC launched an immediate probe into the company and suspended its new user registration, citing “safeguards against national data security risks.”
The state media later claimed that the IPO of companies such as Didi in the U.S. would inevitably involve data leaving the country. The Data Security Law passed by China’s National People’s Congress in June prohibited them from providing domestically stored information to foreign law enforcement agencies.
According to the authorities, the draft regulation is based on China’s Cybersecurity Law, its Data Security Law, and its Personal Information Protection Law.
China’s Cybersecurity Law, which came into effect in 2017, already stipulates that critical information infrastructure operators shall store important data within China and shall conduct security assessments if they really need to provide it outside of China. The Data Security Law, which came into effect in September this year, specifies penalty standards for operators who provide important data outside of China in violation of the aforementioned provisions. The Personal Information Protection Law, which came into effect on November 1, stipulates that critical information infrastructure operators and personal information processors that handle personal information up to the amount specified by the state cyber authorities shall store the relevant personal information within China, and if they really need to provide it outside China, they must pass the security assessment conducted by the state cyber authorities.
That means that, several years ago, the Chinese government had already begun to regulate the way information processors stored data. It has also placed a higher threshold on the security assessment of data leaving the country.
The draft regulation stipulates several situations in which data processors should make a declaration of a security assessment to cyber authorities when providing data outside the country. 1) Outgoing data contains important information; 2) Data provided by operators that process personal information on up to one million people; 3) Data that contains personal information on more than 100,000 people or sensitive personal information on more than 10,000 people. The cyber authorities should complete the security assessment within sixty working days.
Source: People’s Daily Online, October 29, 2021