The Cyberspace Administration of China (CAC) has recently unveiled the "Regulations to Promote and Standardize Cross-Border Data Flows," aimed at smoothing the path for international data exchange while introducing oversight measures.
Under these rules, as long as data doesn't fall under "critical data" and complies with security and personal data protection standards, no special reporting is required for cross-border transfers. This signals a response to the grievances of foreign businesses, suggesting a relaxation of regulations surrounding cross-border data transfers in China.
The CAC provided examples to illustrate the scope of the regulations: data utilized in international trade, cross-border logistics, academic collaborations, global manufacturing, and advertising, among other sectors, need not be reported if it doesn't contain personal or critical information. Additionally, companies with fewer than 100,000 users in a year and no sensitive personal data in their datasets are exempt from reporting requirements.
Moreover, China's free trade zones have been granted autonomy to establish lists delineating prohibited categories for overseas data transmission, subject to approval by regulatory authorities. There are 20 zones across China, including major cities like Beijing and Shanghai.
However, industries and entities identified as "critical information infrastructure" are still mandated to report data transfers abroad due to the sensitive nature of their operations impacting national security. These sectors include telecommunications, energy, transportation, finance, and defense technology.
Furthermore, companies holding substantial user data, exceeding one million users for overseas transmission or containing sensitive data from over ten thousand users, are also subject to reporting requirements.
Bloomberg's analysis highlights lingering ambiguities within the regulations, notably the discretionary power wielded by regulatory bodies in defining "critical data." Nevertheless, it acknowledges the regulations' potential to alleviate compliance burdens for small to medium-sized enterprises. Moreover, multinational corporations may find reassurance in reduced concerns regarding data collection, particularly in scenarios like recruitment processes.
Comparatively, China's data transmission regulations, introduced in 2021, are deemed more stringent than the European Union's data protection policies, posing heightened compliance challenges for businesses across sectors. Challenges such as sluggish approval processes for data transmission persist, impacting industries ranging from hospitality to banking.
Pressure from foreign business entities has been instrumental in advocating for relaxed restrictions, underscored by discussions on overseas data transmission during the China-EU Summit in December 2023. This signals a dialogue between China and the EU concerning data governance issues.
According to Trivium, a Chinese policy research institution, the relaxation of data transmission regulations holds significance, indicative of the Chinese government's responsiveness to concerns voiced by foreign enterprises. However, hurdles may still exist in navigating cross-border data transfers for major players in the finance, pharmaceutical, and automotive industries.
Joint-Win Partners highlights the newfound clarity offered by the regulations, emphasizing their role in assuaging concerns for foreign investors and mitigating compliance costs for enterprises.