According to new guidelines unveiled Friday, companies in China would need official approval to transmit vital data abroad, tightening Beijing’s control over information and potentially disrupting operations for foreign enterprises.
The action is necessary to protect the Chinese public and “defend national security,” according to China’s Cyberspace Administration.
The government of President Xi Jinping views information about China’s 1.4 billion citizens in private hands as a potential security danger. It has published a flurry of guidelines aimed at strengthening control over how businesses collect and manage data.
Investors have slashed the overall market value of e-commerce platform Alibaba, games and social media operator Tencent, and other digital companies by more than $1.3 trillion since a data security crackdown began in late 2020.
According to the CAC, companies who want to send sensitive data overseas must report on the amount and type of data involved, as well as security procedures. Within a week, regulators would determine whether to accept it or undertake their own investigation, which might take up to 60 days.
The rules would apply to transfers involving at least 10,000 people’s “sensitive personal information,” as well as any company that manages data on more than one million people. They don’t say anything about what’s significant or sensitive.
Companies are not allowed to store information about Chinese citizens outside of China, according to previous regulations.
As a result, worldwide corporations have complained that they are at a disadvantage because they can’t integrate data from China with data from other countries, but Chinese competitors can collect all of their data at their headquarters.
A separate law, which goes into effect on Monday, specifies security standards, prevents corporations from releasing customer information without their consent, and requires them to limit the amount of data they gather. Unlike in Western countries, China’s data privacy laws include no provision for limiting government or ruling Communist Party access to personal data.