cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

China clamps down on companies shifting personal data beyond its borders

The Cyberspace Administration of China has announced new regulations governing the movement of personal data across its international borders.

user icon David Hollingworth
Tue, 28 Feb 2023
China clamps down on companies shifting personal data beyond its borders
expand image

As of 1 June, any company wishing to export personal information under a range of thresholds will need to sign a contract with the CAC before doing so. This is now required of any “non-critical information infrastructure operators” dealing with the information of fewer than 1 million people.

Further, to qualify for a contract, businesses must have received the personal information of up to 100,000 individuals since 1 January of the previous year and have sent the data of less than 10,000 people overseas since that same date.

The contract also requires companies to conduct risk assessments regarding the necessity and legality of moving the data and to assess whether any entity receiving the data has done the same. The sensitivity of the data, and the risk of it being tampered with, must also be assessed.

Companies are also not allowed to split up data into different lots to get around these new regulations, and CAC also points out that the rules are subject to change, though CAC also declares that the department itself will keep anything that it learns while enforcing the contract — including business secrets – illegally.

Once all the assessments have been made, they must be filed with local provincial authorities in China — along with the contract itself.

If local authorities then feel the risks of moving the data are too great, then companies will need to submit to interviews with local authorities. Any violations of the contract will be treated as a crime and investigated.

The new regulations come into effect on 1 June 2023.

This is just another set of laws and circumstances likely to drive companies out of doing business within China. Derek Scissors, senior fellow at the American Enterprise Institute, sees many reasons for companies to pack up their bags.

“A weakening economy. COVID-related lockdowns. Reciprocal trade sanctions. Possible conflict over Taiwan. There are many reasons for companies to curb China operations,” Scissors said in a 2022 blog post.

“Firms exporting from China are already shifting operations on a small scale — Xi’s aggressiveness overseas and insistence on near-absolute control make commercial risk too high to ignore.”

Apple and Google have already pulled out of the country for a range of reasons, and both LinkedIn and Yahoo have cited China’s Personal Information Protection Law, which came into effect in 2021, for their departure.

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.