fbpx

Type to search

China Regulator Issues Rules on Sending Personal Data Abroad

Companies that collect personal data will be responsible for assessing if it needs to be protected when it is transferred overseas, under new rules drafted by the China’s government regulator


Companies that collect personal data will be responsible for assessing if it needs to be protected when it is transferred overseas.
The Cyberspace Administration of China (CAC) has issued draft rules on the transfer of personal data overseas. File photo of CAC office in Beijing by Thomas Peter, Reuters.

 

Companies that collect personal data will be responsible for assessing whether it needs to be protected when it is transferred overseas, under new rules drafted by the China’s government regulator.

The Cyberspace Administration of China (CAC) said on Thursday it wants feedback from the public on the rules, which are designed to strengthen oversight over troves of data collected by the private sector and popular apps.

Under the draft rules, entities collecting personal data will be responsible for assessing the legality, legitimacy, as well as the need for the data, its scope and whether it would remain protected once it is transferred overseas.

The draft also covers methods of handling personal information by domestic processors and overseas recipients.

 

ALSO SEE: Didi Soars 50% on Report China to Lift Ban on New Users, App

 

Cybersecurity Reviews

China has in recent years emphasised the risks to national security inherent in transferring user data overseas.

CAC launched cybersecurity reviews into Full Truck Alliance and Kanzhun alongside Chinese ride-hailing giant Didi Global in July last year, and ordered them to stop registering new users, citing national security and the public interest.

On Wednesday, Full Truck Alliance and Kanzhun said they had rectified their security issues and received the regulator’s consent to resume new user registrations.

The draft rules are designed to bolster a data security law implemented last year September, which requires all companies in China to classify the data they handle into several categories and governs how such data is stored and transferred to other parties.

Organisations must also receive approval for cross-border transfer of core data and important data via a special mechanism, the law states.

In 2021, China implemented the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), requiring international and domestic companies to re-evaluate how they handle Chinese personal data.

The PIPL sets how data is collected, stored and handled in mainland China. And it establishes data processing requirements and mandatory approval of data transfers by Chinese authorities if the data is requested by a foreign judiciary.

For multinational companies, the law also demands certain data protection certifications.

 

• Reuters with additional editing by Jim Pollard

 

ALSO on AF:

China Cybersecurity Rules Seen as Big Risk For Finance Firms

China Data Laws Make Disputes More Challenging, Says Forensic Firm

China’s Tech Crackdown Seen Leading to State-Supervised Data Trading Markets

China’s new data security law extends sovereignty to cyberspace

China unveils data security plan, says some countries bully others

 

Jim Pollard

Jim Pollard is an Australian journalist based in Thailand since 1999. He worked for News Ltd papers in Sydney, Perth, London and Melbourne before travelling through SE Asia in the late 90s. He was a senior editor at The Nation for 17+ years.