China looks to relax cross-border data security controls

Receive free Cyber Security updates

We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.

China has moved to water down some of its tough cross-border data controls amid complaints from foreign businesses and a teetering economy.

The Cyberspace Administration of China unveiled rules on Thursday evening which look to clarify and simplify the transferring of data out of the country for ordinary business activities. 

Beijing’s move to walk back part of its burdensome regime comes amid efforts to reassure foreign businesses concerned about deteriorating US-China relations and the creeping influence of its own security apparatus.   

Under the security rules in place, CAC has been reviewing reams of data export submissions from foreign groups wanting to share “important data” abroad.

However, the rules “created an untenable situation, with people unsure if they should apply for the data reviews and unsure on what counted as important data”, said Graham Webster, a China expert at the Center for International Security and Cooperation at Stanford University.

“These changes would create a more clear path for most data to be sent abroad,” he said. 

CAC’s new draft rules state that only data explicitly categorised as important by government agencies would need to be submitted for security review. The draft rules allow global companies to share employee records outside the country, while personal information — needed for cross-border purchases or reservations — can also be sent without security reviews.  

China’s tough controls, coupled with an expanded anti-espionage law that went into effect in July, spurred many foreign groups to begin hiving off their local IT systems and data. Many companies have opted to fully localise data for fear of inadvertently transferring out sensitive material. 

CAC’s draft rules are open for public comment until mid-October and it is unclear if the changes will be enough to assuage foreign companies.

An expanded anti-espionage law remains in place and the Ministry of State Security has pushed a “whole of society” approach to policing security risks — under which all citizens are encouraged to join the ministry’s fight against espionage — while stepping up its domestic propaganda efforts. 

State security officials have raided the offices of US consultancies such as Bain & Company and Mintz Group this year, and aired a primetime broadcast of police searching the offices of Capvision, the expert network group which helped foreign investors with due diligence. Chips from Micron Technology, the US semiconductor giant, have also been labelled “serious network security risks” and banned in infrastructure.

“Security is still a huge concern for Xi Jinping’s China,” said Webster. “They’ve been sending mixed signals on gathering data and sending it abroad.”