China’s cybersecurity rules requiring reviews for certain personal data would be effective from September 1, the country’s internet regulator said.
The rules will govern how companies and other entities handle large quantities of personal user information, the Cyberspace Administration of China (CAC) said in a statement.
They also govern the obtaining of permission to export this data overseas.
“In recent years, with the vigorous development of the digital economy, cross-border data activities have become increasingly frequent, and the data export demand of data processors has grown rapidly,” CAC said.
“Clarifying the specific provisions of data export security assessment is the need to promote the healthy development of the digital economy,” it added.
China National Security Risk
Under China cybersecurity rules, IT infrastructure operators that purchase network products and services and network platform operators that carry out data processing must apply for a cybersecurity review if national security will or may be affected.
“They are obliged to evaluate any national security risk that may arise after the use of network product or service when procuring such a product or service,” Guo Bingna, of White & Case law firm, said.
She said the new measures provide specific rules for public listings of certain network platform operators, but do not offer guidance on what other types of data processing may be part of the Chinese authority’s focus for a cybersecurity review.
Under the new China cybersecurity measures, a network platform operator that possesses personal information of more than 1 million users and plans to be listed in foreign countries must apply for a cybersecurity review.
- Reuters, with additional editing by George Russell