China has proposed relaxing its strict rules on data flows abroad, in its latest move to allay foreign business concerns and revive faltering growth in the world’s second-largest economy.
The Cyberspace Administration of China has drafted a set of exemptions to its requirement for approval to send personal data overseas, which applied to cross-border purchases, money transfers and air and hotel reservations. The internet regulator will still require a security assessment for companies collecting the data of more than 1 million people and using it overseas, but it’s narrowing the scope for other required filings.
Beijing’s new data laws have sparked widespread anxiety about how multinationals could continue to operate in the Asian powerhouse. The proposed softening of those measures comes ahead of a November deadline to secure approvals for international data transfers — a change that could affect the flow of everything from basic customer information to internal HR systems and the operation of loyalty programs.
The draft exemptions, published Thursday, would be especially helpful to companies that store personal data for fewer than a million users, said Atticus Zhao, a Beijing-based data compliance specialist at King & Wood Mallesons. “For many companies, especially cross-border companies, this is a huge relaxation, and substantially reduces the burden.”
Data restrictions were part of what propelled Morgan Stanley to shift more than 200 technology developers out of mainland China, and they were cited earlier by Dentons as one reasons for its split from its Chinese partner Dacheng.
In recent months, regulators have sought to address multinationals’ fears that the strict rules could turn China into a data island. They have held closed-door discussions to explain the policies to foreign businesses and floated a “green channel” plan to ease transfers.
The current regulations, from the 2021 data privacy and security laws, are widely seen to be more onerous than even the European Union’s strict data protection regime. International firms, from hoteliers to banks, have applied for approvals to transmit data beyond the mainland through authorized channels, but only a handful have so far gotten the green light.
Regulators have sought granular detail such as exact IP addresses for transfers and specifics about how much data companies have stored in China, taking as long as a year to respond to questions in some cases, according to people involved in the filing process who asked not to be named as it’s not public.
“I think regulators simply tried to do too much, too quickly with this one,” said Tom Nunlist, associate director at Beijing-based consultancy Trivium. “The data security regime is here to stay, but CAC is taking the sensible step to walk back untenable compliance requirements.”
--With assistance from James Mayger.
(Updates with details about approval process in penultimate paragraph)