How China is tightening controls over cross-border data transfers

(By Caixin journalists Qian Tong and Wang Xintong)

China is putting cross-border data transfer by multinational companies and others under the toughest government oversight ever.

On 1 June, the Measures on the Standard Contract for the Cross-Border Transfer of Personal Information came into effect, requiring certain personal data processors, including companies handling data on fewer than one million people, to sign contracts with overseas recipients before sending data abroad.

Those new rules became the latest effort by Beijing to tighten its grip over domestic data to protect national security. China's upper legislative framework for governing data security consists of three laws - the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law - and a series of government regulations backed by the laws.

Under the laws, the central government has established its personal data export regulatory regime. Apart from the measures on the standard contract, the regime includes rules requiring companies to apply for a security assessment from the country's internet watchdog or to apply for personal information protection certification from a qualified agency.

The regime is impacting businesses beyond multinational corporations doing business in China, Chinese companies listed overseas, and those in data-rich industries such as retail, internet, health care, automotive, civil aviation and finance.

However, industry insiders told Caixin that many aspects of the rules remain vague, such as in security assessments, thus slowing down the approval process and causing confusion - and even harm - for some companies.

While the central government hopes to develop the digital economy to uplift the country's GDP, the rules could slow down progress for the industry. Xu Ke, director of the University of International Business and Economics' research centre for digital economy and legal innovation, said regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth.

According to the Measures for Security Assessment of Cross-border Data Transfer, which took effect 1 September, companies that process personal data involving more than one million people should undergo a security assessment if they want to transfer data overseas.

The measures require the companies to submit self-assessment reports to local cyber authorities and the Cyberspace Administration of China (CAC) for two rounds of review. Currently, a company can legally transfer Chinese data overseas by signing a contract with an overseas recipient and filing it with a local cyber authority, or by having the data pass a security assessment by the country's top internet watchdog.

Even though these measures have been in place for nine months, Xu said their implementation has been slow in practice as there are too many of such companies in China and not enough manpower to handle their assessment reports.

By the end of April, Shanghai's cyberspace regulator had received more than 400 assessment reports, of which only 0.5% were approved by the CAC.

The situation is similar elsewhere. Nationwide, authorities have received more than 1,000 applications to transfer data overseas, of which fewer than ten have made it through two rounds of review, a lawyer familiar with the matter told Caixin.

Caixin has learned that at the national level, while a data bureau of the CAC is responsible for reviewing and approving assessment reports, more of the work is actually done by special assessment personnel from a CAC subsidiary, which is a cybersecurity technical centre called the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC). The centre and the bureau have a combined staff of about 100 people.

In addition to staffing constraints, a lack of clarity of the review criteria is slowing down the approval process, with regulators and companies not seeing eye-to-eye on why the requested data transfers are necessary, the above-mentioned lawyer said. The measures for security assessment require applicants to explain why it is justified, legal and necessary for their data to flow overseas and for overseas recipients to process it, but not much more is specified.

Xu warned that taking "one-size-fits-all" measures may lead to overly strict restrictions on some industries, which is not conducive to balancing the needs of national security and the free flow of data, as not all industries pose national security concerns.

With the implementation of the measures on the standard contract this month, regulators will shift more of their efforts to helping these contracts complete the filing process, which in turn will speed up their approval of security assessments, a source close to the cyber authorities told Caixin.

However, He Yuan, executive director of the Shanghai Jiao Tong University's Data Law Research Center, noted the workload on local regulators could increase substantially as firms with fewer than one million people will also need to sign a standard contract starting June.

Since 2023, China's cyberspace authorities have stepped up publicity efforts, such as conducting lectures, to make corporations more familiar with data transfer rules, but compliance from firms appear to remain weak.

While authorities have had to deal with clearing the huge backlog of submissions from last year, the number actually falls short of the government's expectation. "There should be hundreds of thousands of companies nationwide that meet the 'more than one million pieces of personal information' threshold, but the number of companies being reviewed is nowhere near that many," Xu said.

Xu pointed to high compliance costs, difficulties in communicating with overseas data recipients and regulatory uncertainty as among the key factors affecting the firms' willingness to declare cross-border data transfers.

To avoid the hassle, companies tend to consult third-party agencies about filing security assessment reports. However, the service fees demanded by these consulting agencies can easily be in the hundreds of millions of RMB, putting smaller firms at a disadvantage, Caixin has learned. The quality of service from these agencies can also vary.

Even with the help of consultants, many enterprises had trouble getting approvals. According to Zhang Yao, a partner at Sun & Young Partners, a Shanghai-based law firm, many first-time applications didn't fully meet regulatory requirements. Although regulators have clarified requirements involving the core issues of what data needs to go abroad, through which systems, to whom, and whether there are security risks, but "sorting through these issues requires a lot of cost and effort" on the part of companies, Zhang added.

And for multinational companies, even if they are successful in sending personal data abroad, they face ongoing compliance investments in its subsequent use, said Chen Jihong, partner of the Beijing-headquartered Zhong Lun Law Firm.

At the same time, companies applying to transfer data have to file information about their overseas data recipients in their submitted reports, but these would-be recipients are often reluctant to share information. "For example, foreign internet giants such as Microsoft have made it clear that they will not cooperate with China's data security reviews," He told Caixin.

Two lawyers who spoke to Caixin said that there are still many unanswered questions, such as how comprehensive assessment reports should be. Hence, some companies tend to take an approach of holding back or sharing limited information when declaring data transfers, the lawyers said.

This issue of uncertainty clouding the assessment process is not looking to be resolved anytime soon. Because cross-border security assessment involves political security and national security, Xu said, it is unlikely that the authorities will make all the relevant information public. Several scholars also pointed out that making and issuing detailed compliance rules is not a top priority for regulators, given the amount of work involved.

Caixin understands that a multinational pharmaceutical company has suspended domestic clinical drug trials because they dare not transfer relevant data outside the Chinese mainland until they pass their security assessment. This would delay the launch of the relevant drugs in the domestic market, affecting consumer access and benefiting their domestic rivals, a company representative said.

At the same time, many companies are facing hurdles in raising capital and listing overseas, a capital markets lawyer told Caixin, explaining that vague standards regarding cross-border data flows have made domestic data providers, such as Tianyancha and Qichacha, more cautious in providing corporate information for fear of violations, limiting foreign investors from conducting due diligence that would help them make decisions.

Domestic companies seeking overseas IPOs are still suffering from the impact of the CAC's move last year to fine ride-hailing giant Didi Global 8 billion RMB (US$1.2 billion) for violating national security and personal information protection laws, the lawyer said. "Capital markets are still worried about stepping into the minefield [of data regulation]."

Strained China-US relations have also reduced the willingness of some US companies to increase investment in China, an American tech firm employee told Caixin.

According to a report published last month by accounting firm PwC, private equity (PE) and venture capital (VC) investment in China's telecom, media and tech industries was US$8.39 billion in the second half of 2022, down 61% from the first half.

The number of large PE/VC deals with investments of more than 100 million RMB fell 60% in the second half of 2022, the report said, noting a sluggish investment market.

Yet, there are companies willing to take risks in this climate of fear and uncertainty. To keep their businesses afloat, some online travel agencies have sent data abroad despite not passing security assessments, Caixin has learned. They will be held accountable in the event of a data breach or misuse, a Beijing-based lawyer said.

This article was first published by Caixin Global as "In Depth: How China Is Tightening Controls Over Cross-Border Data Transfers". Caixin Global is one of the most respected sources for macroeconomic, financial and business news and information about China.

Related: Ride-hailing giant Didi slapped with Chinese cybersecurity review days after IPO | Why platform companies seek monopoly and what happens when governments rein them in | Does end of Didi probe signal new beginnings for China's internet economy? | Can Chinese e-commerce platforms Shein and Temu thrive in US and overseas markets?