Sign up now for FREE unlimited access to Reuters.com
BEIJING, July 7 (Reuters) – China’s cyberspace regulator said on Thursday that rules requiring data exports to undergo security reviews will be effective from September 1, the first time it has set a start date for new regulations that will affect hundreds, if not thousands of Chinese companies.
The details of a new mandatory security review to be conducted by the Cyberspace Administration of China (CAC), which will be used to determine whether large amounts of Chinese user data in possession of a private device can be sent abroad, were also completed and published on Thursday, the regulator said in a statement on their official WeChat account.
While much of what the security review will entail was already posted by CAC in draft rules published in October last year, the final version published on Thursday adds an important detail.
Companies or entities that since 1 January last year have sent personal data abroad to 100,000 or more users, or “sensitive” personal data belonging to 10,000 or more users, will also have to undergo the CAC security review.
Previously, it was unknown from which date CAC would measure the size of companies ‘and entities’ user data.
The date of January 1 confirms that the scope of the security review will go far beyond just “critical information infrastructure operators and data processors handling personal information of more than 1 million people”, another category that was early defined by the CAC rules.
“Clarifying the specific provisions of the data export security review is necessary to promote the healthy development of the digital economy, prevent and address cross-border data security risks, safeguard national security and public and public interest,” CAC said on Thursday.
China’s concerns about foreign data exports have recently hit a number of Chinese companies.
CAC launched cyber security assessments of Chinese companies Full Truck Alliance, Kanzhun Ltd, and ride-hailing giant Didi Global in July last year, ordering them to stop registering new users, citing national security and public interest.
While the Full Truck Alliance and Kanzhun announced the resumption of new user registration last week, saying they had “corrected” the issues identified by CAC’s probe, Didi has not yet made a similar announcement.
Reporting by Eduardo Baptista, Brenda Goh and Yingzhi Yang. Edited by David Goodman and Frank Jack Daniel
Our standards: Thomson Reuters Trust Principles.