China to Implement New Data Export Assessment Rules

A far-reaching new law . . . 

Last Thursday, the Cyberspace Administration of China (CAC), the country’s top cybersecurity regulator, announced the ‘Measures on Data Export Security Assessment’ will come into force on September 1. The measures spell out the scope and procedures of a new compulsory security review that will determine whether data on internet users can be transferred out of China. Beginning September 1, firms exporting “important” data out of China will be subject to assessment. Transfers of personal information carried out by “critical information infrastructure operators” and data processors managing the personal information of 1 million people will also undergo review.

Greater compliance costs and regulatory uncertainty . . .

In the past five years, Beijing has introduced three national laws on cybersecurity and data security, institutionalizing the right to digital privacy and strict standards of commercial data management. On the one hand, these efforts may have strengthened data governance, but on the other hand, they have also created a challenging business environment by introducing complex compliance requirements. As such, they contributed in part to the market exits of LinkedIn and Yahoo in 2021. The latest data assessment measures contain ambiguous and potentially sweeping definitions of “sensitive” and “important” data. Experts believe that the interpretive leeway left to CAC will add more red tape and compliance costs to the operations of foreign and Chinese companies in a wide range of industries.

Who regulates the regulator?

As China tightens the screws on digital platforms – including most recently on the country’s largest academic database, CNKI – to rein in their rapid growth in a regulatory vacuum, the Communist Party of China (CCP) remains beyond the scope of these new laws and regulations. Last week, reports of a massive Shanghai police database leak sent shockwaves across the globe but incited little reaction from inside the country due to the CCP’s censorship. A recent report suggests that the pandemic has only strengthened the CCP’s grip on digital governance, as authorities were able to field test an extensive digital monitoring infrastructure. As outlined in China’s 14th Five-Year-Plan for National Informatization released last December, Beijing’s ambitions to create an open national data platform aggregating public and proprietary commercial data should worry anyone concerned with data security.