Home Listing rules China calls for security reviews of companies seeking to export user data

China calls for security reviews of companies seeking to export user data


A sign above a Cyberspace Administration of China (CAC) desk is visible in Beijing, China on July 8, 2021. REUTERS / Thomas Peter

BEIJING, Oct.29 (Reuters) – China’s leading internet regulator on Friday released draft guidelines that will subject businesses with more than one million users in the country to a security review before they can submit related data to users abroad.

The Chinese Cyberspace Administration (CAC) said in a statement that the security review requirement would also apply to businesses if their data is collected and generated by operators of “critical information infrastructure”, or if the data to be sent abroad contains “” information.

Companies that have already sent abroad, or intend to send abroad, the personal information of more than 100,000 users or the “sensitive” personal information belonging to 10,000 users, would also be bound by the requirement, he said.

The proposed measures, which are open for public scrutiny until Nov. 28, come as Beijing tightens its grip on Chinese companies and the vast treasuries of data they control. It has adopted new laws on data security and the protection of personal information.

In July, the ACC also proposed that companies with more than one million users report to the regulator for a safety review before listing their shares overseas, just days after the public offering was suspended. ride-sharing giant Didi Chuxing’s (DIDI.N) initial on alleged data breaches.

Last month, China’s Ministry of Industry released draft rules to strengthen its new data security law, including definitions of what it considered “essential” and “important” data, for which cross-border transfers must be approved.

The ACC also detailed on Friday what documents organizations were required to submit, and said the security review should be completed in most cases within 45 days, but in “complicated circumstances” could take up to 60 days. days.

A successful security review would have a validity period of two years, but factors such as “changes in the legal environment of the country or region where the foreign recipient is located” could prompt a new review, according to the draft. rules.

Reporting by Yingzhi Yang, Brenda Goh and Eduardo Baptista; Editing by Christian Schmollinger and Gerry Doyle

Our standards: Thomson Reuters Trust Principles.


Please enter your comment!
Please enter your name here