China tightens restrictions on data
New law specifically targets SMEs
China has introduced a contract companies operating within its borders must sign before being able to transmit user data overseas.
The Cyberspace Administration of China (CAC) announced the release of the Standard Contract and the corresponding Measures on the Standard Contract for Outbound Cross-border Transfer of Personal Information (Standard Contract Measures) on 24th February.
The regulations come into effect from 1st June.
The new rules only apply to small-and-midsize firms: companies that handle the personal data of up to 1 million individuals, or those that intend to transfer personal data of up to 100,000 individuals outside China.
Larger firms are already covered by the CAC's security assessments and China's Personal Information Protection Law.
These companies are required to file a signed contract with a nearby CAC office within 10 working days of it coming into effect.
As part of the contract, the companies must evaluate the likelihood of data tampering or misuse. They also have to declare they have done so before transmitting the data overseas. In this context, "data tampering and misuse" includes assessing the risk of illegal usage by foreign recipients.
The contract also mandates that companies disclose the scale, scope, type and sensitivity of the information being transferred, and provide details on how it will be managed after being sent overseas.
To be eligible to use these contracts the transmitting company must be "a non-critical information infrastructure operator", and must have sent personal data of less than 10,000 people overseas since 1st January 2022.
The Standard Contract will be applicable to most cross-border transactions originating from China.
Companies that do not meet the eligibility criteria will have to follow a different process, either by hiring a designated agent for certification or passing the CAC's more stringent security assessment.
The CAC has warned businesses against splitting up data into smaller batches to meet the eligibility criteria for the Standard Contract, instead of opting for the certification or security assessment process.
This is just the latest legislation China has introduced to govern data.
In recent years Beijing has introduced several laws regarding cybersecurity, data protection, and privacy. They require organisations with significant user bases to undergo assessments and obtain approvals before handling the vast amounts of data they collect.
The policies are part of China's broader Personal Information Protection Law (PIPL), which was enacted in November 2021.
Critics of the new Standard Contract requirements argue that compliance will be expensive. For its part, the CAC maintains that the regulations are necessary to protect the rights and interests of personal data owners, and to regulate the export of personal information outside of China.
Several foreign entities have found compliance with Chinese regulations to be difficult and, as a result, have decided to exit the Chinese market.
Both LinkedIn and Yahoo, for example, abandoned their Chinese operations following the implementation of the PIPL, citing the increasingly challenging business and legal environment in the country.