Personal Information Export Rules Could Cost Foreign Companies
Proposed regulations governing the export of personal information under China’s Cybersecurity Law are expected to increase the compliance cost for foreign companies.
The draft rules, released by (link in Chinese) the Cyberspace Administration of China (CAC) Thursday, said the export of personal data from China would require a new level of security assessment by CAC officials.
Personal data — deemed as that which can “impact national security, damage public interest or is not fully secured” — would not be allowed to be exported, according to the draft.
The new rules, open for public comment until July 13, are an extension of a broader cybersecurity law issued in 2017 that only emphasized self-assessment of personal data export without government approval.
For multinational corporations, the proposed rules mean they would now be liable for an additional level of government assessment for information on the likes of local employees and suppliers before sending it to a global database.
“This would be a significant ‘burden’ for foreign firms,” said Kevin Duan, a lawyer from prominent Chinese law firm Han Kun. He added that foreign firms usually have an in-house department or partner with third-party agents handling such data export activity.
The proposed rules would have a direct impact on businesses relying on overseas data services. They would need to opt for a data localization strategy to avoid the assessment procedures.
Also, the rules would create much greater uncertainty for overseas operators which collect data for companies with cross-border business, according to Han Kun. That’s mainly due to the ambiguity of the draft, which didn’t include a specific requirement for offshore firms, the company said in a WeChat post.
The draft indicated these offshore firms would need to get their required government assessment done by an onshore representative.
Also, the massive amount of work involved in the approval assessments would be a big burden for CAC authorities. Han Kun has urged the government to build more flexibility into implementation of the policy.
“A universal requirement of prior government assessment for network operators collecting personal data may be difficult to implement, and sometimes unnecessary,” the Chinese law firm added.
Zhao Runhua contributed to report.
Contact reporter Mo Yelin (firstname.lastname@example.org)
- MOST POPULAR