In an escalating move to control data flow and safeguard personal information, China’s internet regulator, the Cyberspace Administration of China (CAC), has proposed draft regulations that mandate all companies involved with personal data to execute regular compliance audits. This initiative includes specific checks on data shared with overseas entities.
The newly proposed draft regulation, released last Thursday, establishes that any company with a user base exceeding 1 million is obliged to perform an annual audit to evaluate their adherence to rules relating to the management of user’s personal data. For service providers with a user base less than 1 million, audits will be required every two years.
The CAC is currently seeking public opinion on the draft regulation, a process that will continue until September 2. Alongside conventional audits, a specific focus on data transferred internationally is included in the draft. This audit will scrutinize if personal information is shared with foreign judicial or law enforcement agencies, ensuring this occurs only after acquiring the necessary authorization from Chinese authorities.
Another critical aspect of these audits will be to ascertain whether those managing data understand the personal information protection policy and the cybersecurity environment of the country or region to which the data is being sent. Furthermore, the audits are expected to validate that companies adhere to pre-existing security assessment requirements when sending data and information overseas.
Companies with a user base of more than 1 million are required to secure official approval before sharing information with international entities. Firms that have transferred the data of over 100,000 users or sensitive data of more than 10,000 users to overseas entities since the start of the previous year must also acquire approval and will need to review the process.
According to the CAC, the draft regulation’s objective is to “provide guidance and regulate compliance audits” for personal data protection, relying on established laws and regulations, including the Personal Information Protection Law.
An additional obligation for companies managing personal data is to institute measures ensuring that foreign recipients manage data in accordance with China’s personal information law. Compliance audits should primarily review if data processors are aware of the overseas entities’ data protection standards. The audit must also verify whether recipients are informed about relevant Chinese laws and regulations and if measures are implemented to ensure recipients meet their obligations concerning data protection.
This regulation is Beijing’s latest move towards more robust data protection as the Chinese government becomes increasingly wary about its data accessed by entities outside mainland China.
A significant event highlighting this concern occurred in 2021 when Chinese regulators thwarted a bid by the ride-sharing titan Didi Chuxing to go public in New York. The regulators cited data security risks and “national security” concerns as their primary reason. This event underscored the Chinese government’s growing apprehension about its data falling into foreign hands, potentially putting its citizens’ privacy at risk or compromising national security.
In the past few years, Beijing has been implementing stricter control and enhancing oversight regarding the handling of personal data within China. The Data Security Law, which came into effect in 2021, circumscribes the methods of data processing and imposes hefty penalties for companies that transfer crucial data overseas without governmental authorization. Simultaneously, the personal information law was enacted, imposing restrictions on how personal data can be collected, used, and managed.
Adding another layer of compliance, the CAC introduced a “standard contract” for personal data leaving the country in June. This contract is a compliance requirement for companies managing the personal data of up to 1 million Chinese users. In summary, the draft regulation proposed by the CAC emphasizes the Chinese government’s focus on personal data protection. With an expanding digital landscape, personal data has become a prized asset that needs safeguarding, and the CAC’s move underlines China’s determination to maintain control over its citizens’ data while requiring companies to take rigorous steps to ensure the data’s security. If this regulation is adopted, it will signify a landmark development in China’s approach to data protection, echoing a global trend towards tighter controls over personal data. The onus is now on companies to improve their data handling practices to ensure compliance with the increasingly stringent regulations
Read More: