Security News > 2023 > February > China makes it even harder for data to leave its shores

Starting in June, companies operating in China must undergo a regulatory intervention when sending data abroad, thanks to the Cyberspace Administration of China.

The CAC announced on Friday businesses that handle the personal information of up to 1 million people, or want to send user information of up to 100,000 individuals abroad, will need to sign a standard contract before doing so and file it with a local CAC office within 10 working days of it taking effect.

To use these contracts, those sending the information must also be non-critical information infrastructure operators and the company must have sent personal data overseas of less than 10,000 people since January 1 of the previous year.

Just in case a company thought it was being clever, the CAC warned businesses not to split up data into batches to qualify for the standard contract instead of the certification or security assessment.

The CAC said that if it found a greater data security risk, it could "Conduct interviews with the personal information handlers in accordance with law." The regulator also reserved the right to change the rules.

Critics have said the new standard contract requirements are costly, but according to the CAC, they "Protect the rights and interests of personal information and regulate activities of exporting personal information abroad.".

News URL

https://go.theregister.com/feed/www.theregister.com/2023/02/27/china_data_regulatory_intervention/