China Tightens Control Over Company Data With Transfer Rules

China Tightens Control Over Company Data With Transfer Rules
A trade show visitor places her hand on a globe in Beijing, China, September 7, 2021. Ng Han Guan/AP Photo
The Associated Press
Updated:

BEIJING—Companies in China would need government approval to transfer important data abroad under proposed rules, announced Friday, that would tighten Beijing’s control over information and might disrupt operations for international corporations.

The measure is needed to protect the Chinese public and “safeguard national security,” the Cyberspace Administration of China said.

Xi Jinping’s government sees information about China’s 1.4 billion people as a potential security risk in private hands. It has issued a flurry of rules tightening control over how companies gather and handle information.

A crackdown on data security launched in late 2020 fueled anxiety among investors, who have knocked more than $1.3 trillion off the total market value of e-commerce platform Alibaba, games and social media operator Tencent, and other tech giants.

Companies that want to transfer important data abroad would have to report on how much and what type of information is involved and security measures that would be used, according to the CAC. Regulators would decide within a week whether to accept the request or conduct their own review, which could last up to 60 days.

The rules would apply to transfers that involve “sensitive personal information” on at least 10,000 people or any company that handles information on more than 1 million people. They give no details on what is important or sensitive.

Rules imposed earlier prohibit companies from storing information about Chinese citizens abroad, which prompted complaints that global companies are put at a disadvantage because they can’t combine information from China with other countries, while Chinese competitors can collect all their data at their headquarters.

A separate law, that takes effect Monday, establishes security standards, prohibits companies from disclosing information without customer permission, and tells them to limit how much data they collect. Unlike data protection laws in Western countries, the Chinese rules say nothing about limiting government or ruling Communist Party access to personal information.