November 15, 2024

China’s cyberspace regulator on Thursday said that rules requiring data exports to undergo security reviews would be effective from September 1, the first time it has given a start date for a new regulatory framework that will affect hundreds, if not thousands, of Chinese companies.

The details of a new compulsory security review to be carried out by the Cyberspace Administration of China (CAC), which will be used to determine whether large quantities of Chinese user data in the possession of a private entity can be sent overseas, were also finalised and published on Thursday, the regulator said in a statement on its official WeChat account.

While much of what the security review will entail was already laid out by the CAC in draft rules published last October, the final version published on Thursday adds an important detail.

Companies or entities that have since January 1 of last year sent abroad the personal information of 100,000 or more users, or “sensitive” personal information belonging to 10,000 or more users, would also have to undergo the CAC security review.

Previously it was unknown from which date the CAC would measure the size of companies and entities’ user data troves.

The January 1 date confirms that the scope of the security review will go far beyond just “operators of critical information infrastructure and data processors handling personal information of more than 1 million people”, another category defined early on by the CAC draft rules.

“Clarifying the specific provisions of the data export security review is necessary to promote the healthy development of the digital economy, prevent and resolve cross-border data security risks, safeguard national security and the societal and public interest,” CAC said on Thursday.

China’s concerns regarding overseas data exports have recently bruised a number of Chinese companies.

The CAC launched cybersecurity reviews into Chinese companies Full Truck Alliance, Kanzhun Ltd, and ride-hailing giant Didi Global in July last year, ordering them to stop registering new users, citing national security and the public interest.

While Full Truck Alliance and Kanzhun announced the resumption of new user registration last week and said it had “rectified” the issues identified by the CAC’s probe, Didi has yet to make a similar announcement.

© Thomson Reuters 2022