Guidelines for China’s new cross-border data transfer assessments are stricter than expected, increasing worries that they will drive up compliance costs for international businesses working in China, reports the South China Morning Post. The Cyberspace Administration of China (CAC), the country’s internet watchdog, published a set of draft guidelines on Friday, laying out when and how companies should get the agency’s approval before sending data out of China.
China’s Cybersecurity Law, which came into force in 2017, compels data exporters to go through security assessments by the government. The new rules also encourage a self-review of data transfer risks.
Under the proposed guidelines, a government review is mandatory if the data exporter handles any personal information of more than 1 million Chinese residents, or the “sensitive” personal information—which includes financial or health data—of more than 10,000 people. A green light from the CAC is also needed if the data transfer is carried out by “critical information infrastructure operators,” or any firms that need to transfer “important” data—a term that currently has no clear official definition.