China issues draft law on firms moving data out of country

China's top cyber-security authority is seeking public comments on the draft of a new law governing data moving out of the country.

Targeted at companies with over a million users, the new regulation will mean that such firms will be subject to a cyber-security review lasting up to 60 days before being allowed to transfer data.

This is the latest in a series of moves by Beijing to tighten regulation over the tech industry, which has come under intense scrutiny in recent months.

Under the draft law published by the Cyberspace Administration of China (CAC) yesterday, the new rules will be applied to firms whose data is collected and generated by operators of "critical information infrastructure" or if the data to be sent overseas contains "important" information.

This will apply to companies intending to transfer the data of more than 100,000 users, or 10,000 users if it contains "sensitive personal information".

Those that intend to export data will also need to ensure the information is properly stored and managed.

The public has until Nov 28 to provide feedback.

Later yesterday, China's market regulator also published draft guidelines on the responsibilities of Internet platforms.

In a document, the State Administration for Market Regulation classified Internet platforms and outlined rules for such firms to follow in areas like data, labour rights and fair competition.

The proposed regulations come on the heels of several new ones targeting the technology industry and data.

In July, regulators investigated ride-hailing firm Didi for what they said was mishandling of data.

The firm, which operated the largest fleet of hire cars in the country, had a massive information trove that included maps as well as data on the hours worked by government staff.

It even produced a graphic showing that the Public Security Bureau had employees hailing rides at all hours.

The probe into Didi is still under way and the firm has not been allowed to sign up new users.

Since then, regulators have issued a number of documents calling for public feedback on several areas, while legislation governing personal data will go into effect on Monday.

Last month, the Ministry of Industry and Information Technology (MIIT) published draft rules aimed at bolstering its new data security law, including definitions of what it considered "core" and "important" data, for which cross-border transfers must receive approval.

In July, the CAC solicited feedback for a law that said firms with more than one million users have to apply for permission before listing overseas - a low bar that will essentially extend to practically all tech firms with foreign initial public offering ambitions.

More importantly, the document listed seven factors taken into consideration when approving foreign listings.

These include risk of supply disruptions due to political, diplomatic or trade reasons; risk of misappropriation of core data; and risk of data being influenced, controlled or maliciously used by foreign governments.

China has in the past governed personal data privacy with a fairly light hand. But regulators are now framing the issue as one of national security, amid a strategic rivalry with the United States that is rapidly heating up.

The MIIT had earlier drawn up a three-year action plan to develop the country's cyber-security industry, estimating it to be worth 250 billion yuan (S$52.6 billion) by 2023.