China Moves to Further Tighten Regulation of Digital Information

China Moves to Further Tighten Regulation of Digital Information

Proposed rules would make foreign companies get permission to transfer data outside the country

By Eva Dou April 11, 2017 7:44 a.m. ET

BEIJING—Foreign companies with business operations in China would be required to apply for permission to transfer data out of the country under draft rules released Tuesday, in the government’s latest move to tighten regulation of digital information.

The rules would affect all so-called network operators, a term that industry experts say likely encompasses technology companies, as well as other firms that do business through computer networks, such as financial institutions.

The rule would apply to companies seeking to move more than one terabyte of data out of China, or that have data on more than 500,000 people.

For example, consumer companies that have collected a large database of email addresses, birth dates or other information on their Chinese customers would appear to be required to get the permission of both their customers and the Chinese government before transferring that data out of the country.

The data would then be reviewed and blocked if the government believes it would hurt China’s political system, economy, technology or security.

The Cyberspace Administration of China said the rules were necessary to “secure personal information and the safety of important data, as well as to protect internet sovereignty and national security.”

The CAC didn’t respond to a request for additional comment. In the past, the government has broadly defined business operations that could affect the national interest, meaning that companies engaged in such disparate areas as health care, construction and finance could come under the rule’s purview.

The draft drew some industry criticism Tuesday. Multinational companies are generally opposed to data localization—keeping data physically stored in the country where it originates—saying that rules mandating the practice raise costs by requiring duplicate infrastructure and impede cross-border business.

“The strongest international standards to protect data privacy are determined by industry consensus, draw on global best practices, and are largely blind to where data is stored or transferred,” said Jake Parker, vice president of the U.S.-China Business Council.

The rules would broaden data-localization requirements to all “network operators,” versus the narrower set of “critical infrastructure” operators under last year’s cybersecurity law, said Bing Maisog, a partner of law firm Hunton & Williams.

“You could say it’s a revisiting of the law,” Mr. Maisog said.

The draft is open for public comment until May 11 and could change in its final form. Other recent Chinese cybersecurity regulations have been weakened in their final version after pushback from companies and foreign governments.

Data localization has also been controversial in Europe, where some countries require local data storage for security. The European Union is seeking public comment on data-localization rules.

Under the draft Chinese rules, smaller companies with data on fewer than 500,000 users could conduct a self-assessment instead of applying for government review.

Write to Eva Dou at eva.dou@wsj.com


Comments

Popular posts from this blog

High-speed Hyperloop track ready for first trial run in Nevada

How the Fed went from lender of last resort to destroyer of American wealth

Apple leaps into AI research with improved simulated + unsupervised learning