Companies that collect personal data will be responsible for assessing whether it needs to be protected when it is transferred overseas, under new rules drafted by the China’s government regulator.
The Cyberspace Administration of China (CAC) said on Thursday it wants feedback from the public on the rules, which are designed to strengthen oversight over troves of data collected by the private sector and popular apps.
Under the draft rules, entities collecting personal data will be responsible for assessing the legality, legitimacy, as well as the need for the data, its scope and whether it would remain protected once it is transferred overseas.
The draft also covers methods of handling personal information by domestic processors and overseas recipients.
China has in recent years emphasised the risks to national security inherent in transferring user data overseas.
CAC launched cybersecurity reviews into Full Truck Alliance and Kanzhun alongside Chinese ride-hailing giant Didi Global in July last year, and ordered them to stop registering new users, citing national security and the public interest.
On Wednesday, Full Truck Alliance and Kanzhun said they had rectified their security issues and received the regulator’s consent to resume new user registrations.
The draft rules are designed to bolster a data security law implemented last year September, which requires all companies in China to classify the data they handle into several categories and governs how such data is stored and transferred to other parties.
Organisations must also receive approval for cross-border transfer of core data and important data via a special mechanism, the law states.
In 2021, China implemented the Personal Information Protection Law (PIPL) and the Data Security Law (DSL), requiring international and domestic companies to re-evaluate how they handle Chinese personal data.
The PIPL sets how data is collected, stored and handled in mainland China. And it establishes data processing requirements and mandatory approval of data transfers by Chinese authorities if the data is requested by a foreign judiciary.
For multinational companies, the law also demands certain data protection certifications.
• Reuters with additional editing by Jim Pollard
ALSO on AF: