Easier cross-border data transfers back up China’s business-friendly messaging with practical change
- Allowing the resumption of cross-border data transfers in day-to-day business shows pragmatism can still prevail in Chinese policymaking
- The regulatory ambiguity of requiring a cybersecurity review for almost any data generated in China was paralysing for the business community
China has been building up a comprehensive and strict data regulatory framework over the last couple of years. With these rules, intended to ensure sufficient state oversight of cross-border data transfers, regulators have rushed to translate Beijing’s strategic security concerns into articulated rules that individuals and businesses must follow.
The impact of this move has been clear: with one law drafted after another, the state gradually increased its power over data with sometimes vague legislation, leaving government agencies to sort out the details of enforcement. Yet not even the administrative state has ironed everything out, leaving business executives and corporate lawyers scratching heads over what is allowed.
Some believe that new data rules are intentionally vague to give arbitrary power to regulators through impromptu implementation. More realistically, a sense of national emergency pushed Chinese regulators to rush new regulations before having a clear idea of how the rules could be implemented.
China proposes relaxing security reviews for most cross-border data flows
In this haste to plug loopholes or address potential security threats, business interests are often not fully considered – and sometimes they are sacrificed.
Another important regulation came into effect in September 2022, requiring that the export of “important data” and personal information go through a security review, again adding to business uncertainty.
Whether from a bank, hospital or travel agency, nearly any data generated in China could be seen as important or sensitive. This vague governance regime had seemingly created a nightmare scenario where simply sending a spreadsheet abroad required a security check. No company dare ignore the rules lest they risk a knock at the door from law enforcement.
The CAC finally addressed this situation last month with a proposed relaxation of the rules, published just ahead of the National Day holiday. This is an important move that should allow for business as usual in day-to-day cross-border data flows, no longer burdened by a security review process for trivial transfers of information.
The updated regulation should come into effect soon, with the consultation period having ended on October 15, making life easier for multinationals in China. It should also help Hong Kong maintain its role as an international base for Chinese businesses.
Had China imposed these data security checks and included Hong Kong in “cross-border” data transfers, the city’s long-standing role as a gateway to China would have been under threat.
Meanwhile, China is trying to set up “special zones” for data regulations that can offer additional relief. In the latest proposed regulation, China’s free trade zones will be granted autonomy to decide what data should be checked.
07:30
Why China is tightening control over cybersecurity
This relaxation shows that pragmatism can still prevail in China’s policymaking. It should come as much-needed relief for a business community that is struggling to deal with labyrinthine Chinese regulation. It also helps back up Beijing’s messaging about welcoming investors with tangible actions.
With sufficient leeway in implementation, businesses in China will notice the difference. Even if only a small step, it is a positive change.
