China’s cyberspace watchdog has released new draft rules that could further tighten the government’s control over cross-border data transfers, especially for overseas entities that collect data from users in China.

The new rules would explicitly require overseas operators that transfer personal data out of the Chinese market to perform security assessments overseen by the Cyberspace Administration of China through a China-based representative, before they can make the transfers.

This is “one step further” than previous proposals, which didn’t include a specific requirement for offshore firms, prominent Chinese law firm Han Kun said in a note published on WeChat.

The new rules, which fall under a broader cybersecurity law that took effect in 2017, could complicate operations for entities ranging from foreign e-commerce sites to hotel booking platforms that move personal data from Chinese users to overseas facilities.

Additionally, domestic businesses relying on overseas data services would face significant challenges and uncertainty, Han Kun said.

Related: Regulators Issue More Draft Rules to Tighten Up Lax Data Protection

Contact reporter Zhao Runhua (runhuazhao@caixin.com)