China’s internet watchdog Cybersecurity Administration of China (CAC) issued new rules on cross-border data transfer, as reported by South China Morning Post on July 8. Under the new rules, which will take effect on September 1, important and massive data transfers from China to destinations outside its borders will undergo security inspections, and the CAC has the discretion to conduct reviews indefinitely. The new rules will apply to businesses that handle the personal data of more than 1m Chinese residents. Additionally, entities that have transferred personal information on at least 100,000 cumulative individuals or sensitive data on more than 10,000 people since the start of the previous year will be subject to safety reviews.
The new rules came amid the prospering digital economy and growing cross-border data activities nowadays, according to a statement by CAC. Aside from regulating cross-border data transfers, the new rules are intended to protect the rights and interests of personal information and safeguard national security and social public interests. The regulations defined important data as information that may endanger national security, economic operation, social stability, and public health and safety once it is falsified, damaged, leaked, illegally obtained, or illegally used. The new rules will cooperate with the Cybersecurity Law passed in 2017 and the Data Security Law and the Personal Information Protection Law enacted in 2021.