New Chinese regulation requires security assessment for data export
Wed 12 Apr 2017
The Chinese data protection law, due to be implemented in June 2017, requires that data on Chinese consumers be stored within the country, requiring multinational corporations to set up data centers within Chinese borders.
A new article of the law, drafted by the Cyberspace Administration of China, sets forth regulations for exporting data outside of China. Should the draft be accepted, it will be enforced as part of the overall Chinese data regulation program.
According to the latest revision, all firms that export data must undergo a random security assessment by the Cyberspace Administration, as well as periodic assessments related to the transfer of data packets. Should a firm wish to export any data packet over 1,000 GB, or affecting more than 500,000 users, it must undergo an additional security assessment to determine whether the transferred data has the potential to harm national interests. Companies must obtain the consent of users prior to exporting personal data overseas.
The proposed law would also ban the export of economic, technological or scientific data that could threaten national security or public interest. Sensitive geographic and ecological data would also have to be reviewed for impact before export.
In most cases, though, data generated in China must be stored within Chinese borders. Every multinational company hoping to do business in China is therefore required to have a data center within Chinese borders.
Should a company store Chinese data outside of China, or export data without first undergoing a security assessment, the government may impose fines on the company and on individual employees who are deemed to be responsible for the violation. It may also, at its discretion, revoke or cancel permits or licenses, suspend operations, and/or shut down a company’s website.
When companies collect user data, the government requires that users provide real names and true identities. Foreign companies operating in China must also provide the authorities with wiretap access in the case of a criminal or national security investigation.
The Chinese government sees the data protection regulation and attendant data export requirements as a necessary step toward safeguarding against threats such as hacking and terrorism. However, some have protested the laws as unfairly targeting foreign businesses.
The draft of data export regulations is open for public comment until May 11. If accepted, it will be put into effect in June.