In early June, China officially put into effect regulations on standard contracts for cross-border personal information transfers, which require data processors (including companies that process data of less than 1 million people) to have contracts with overseas recipients before transferring.

The new rules are part of Beijing's efforts to tighten control over domestic data in the name of protecting national security.

Currently, the country's top legal framework for data privacy management consists of three laws: the Cybersecurity Law, the Data Privacy Law, and the Personal Information Protection Law.

Accordingly, the central government has established a personal data export management regime. In addition to the measures in the standard contract, the regime includes rules requiring companies to conduct security assessments with the national internet supervision authority or apply for personal information protection certification from the competent authority.

Xu Ke, director of the research center on digital economy and legal innovation at the University of International Business and Economics, said regulators are struggling to strike a balance between enhancing data security and promoting data-driven economic growth.

High number of companies, low approval rate

Under security assessments for cross-border data transfers, which came into effect on September 1, companies that process personal data relating to more than 1 million people must undergo a security assessment if they want to transfer data abroad.

Companies must submit security self-assessment reports to local network regulators and the Cyberspace Administration of China (CAC) for two rounds of review.

Currently, data transfers abroad are considered legal if the transferor signs a contract with the recipient and submits that the data to be transferred passes the security test of the competent authority.

Although the measures came into effect in September, their implementation has been difficult due to the large number of companies and a lack of human resources to assess their security reports.

By the end of April, Shanghai's cyberspace administration had received more than 400 evaluation reports, of which only 0.5 percent were approved by the CAC.

The situation is similar elsewhere. Nationwide, authorities have received more than 1,000 applications to transfer data overseas, of which fewer than 10 have passed the two rounds of review, Caixin sources said.

At the national level, the majority of security report approval review work is carried out by the CNCERT/CC cybersecurity technical center, which has a total staff of about 100 people.

“Vague” criteria

In addition to staffing constraints, a lack of clarity in assessment criteria is slowing down the approval process, with regulators and companies disagreeing on why the requested data transfer is necessary.

For example, the applicant must explain why transferring data to a foreign party for processing is lawful, reasonable and necessary, but no further guidance is provided.

Mr. Xu Ke warned that applying an “all-in-one” mechanism could lead to excessive restrictions on certain industries and sectors, hindering the free flow of data because the level of causing national security concerns is different.

He Yuan, executive director of the Data Law Research Center at Shanghai Jiao Tong University, noted that the workload for local regulators could increase significantly as companies with fewer than 1 million employees will also have to sign standard contracts starting in June.

Since 2023, mainland authorities have stepped up publicity efforts, such as conducting guidance for corporations to familiarize themselves with data transfer rules.

However, high compliance costs, difficulties in communicating with overseas recipients, and regulatory uncertainty are among the factors that Beijing has not been able to resolve for businesses.

Expensive

To avoid trouble, companies tend to consult third-party agencies regarding the submission of security assessment reports.

However, the service fees charged by these consulting agencies can easily reach hundreds of millions of yuan, putting small companies at a disadvantage. The quality of service from these agencies can also vary.

Even with the help of consultants, many businesses still struggle to get approval. Many first-time applications do not fully meet regulatory requirements, said Zhang Yao, a partner at Sun & Young Partners, a Shanghai-based law firm.

While regulators have clarified requirements around core issues of what data needs to be transferred overseas, through what systems, to whom, and whether there are security risks, “sorting out these issues requires a lot of cost and effort” on the part of companies.

And for multinational companies, even if they succeed in sending personal data overseas, they still face ongoing compliance investments in subsequent use, said Chen Jihong, a partner at Beijing-based Zhong Lun Law Firm.

What’s more, the data transferor must submit information about the overseas recipient in a report—something few companies are willing to share. For example, the giant Microsoft publicly stated that it “will not cooperate” with China’s data security assessment requests.

(According to Nikkei Asia)