What’s new: China’s internet regulator Friday issued draft rules that will impose stricter requirements for data leaving the country as authorities move to tighten oversight of data security.
Under rules (link in Chinese) drafted by the Cyberspace Administration of China (CAC), a national security review will be required for data transfers outside the country involving the personal information of 100,000 individuals or more.
Security screening by regulators will also be required for cross-border transfer by operators of critical information infrastructure; transfer of “important data”; companies that transfer personal data encompassing at least 100,000 people; and cross-border transfers of sensitive personal data, such as fingerprints, affecting 10,000 or more people, according to the rules.
Regulators will assess the purpose, scale and methods of the data transfer and determine whether it is lawful and necessary, according to the draft directives, which will be open for public opinion through Nov. 28.
Why it matters: The new rules are likely to have far-reaching effects on companies handling massive amounts of user data, especially overseas-listed tech businesses, analysts said.
China has tightened controls on data transfers outside the country in recent years under a broader clampdown on risks in the internet sector. Earlier this year, authorities launched a cybersecurity investigation into ride-hailing giant Didi shortly after its U.S. share sale.
In June, China passed a new Data Security Law, which took effect Sept. 1. The country also passed its first national Personal Information Protection Law In August, setting strict rules on how companies should treat the personal information gathered and collected from China’s more than 900 million internet users. The legislation, which is based on the principle of informed consent, will go into effect Nov. 1.
Contact reporter Han Wei (weihan@caixin.com) and editor Bob Simison (hello@caixin.com)
Get our weekly free Must-Read newsletter.
