China issues draft legislation on data transfers, guidelines on Internet platforms

Those who intend to export data will need to ensure the information is properly stored and managed. PHOTO: AFP

BEIJING - China's top cyber-security authority is seeking public comments on the draft of a new law governing data moving out of the country.

Targeted at companies with more than a million users, the new regulation will mean that such firms will be subject to a cyber-security review lasting up to 60 days before being allowed to transfer data.

This is the latest in a series of moves by Beijing to tighten regulation over the tech industry, which has come under intense scrutiny in recent months.

Under the draft law published by the Cyberspace Administration of China (CAC) on Friday (Oct 29), the new rules will be applied to firms whose data is collected and generated by operators of "critical information infrastructure" or if the data to be sent overseas contains "important" information.

This will apply to companies intending to transfer the data of more than 100,000 users, or 10,000 users if they contain "sensitive personal information".

Those who intend to export data will also need to ensure the information is properly stored and managed.

The public has until Nov 28 to provide feedback.

Later on Friday, China's market regulator also published draft guidelines on the responsibilities of Internet platforms.

In a document, the State Administration for Market Regulation classified Internet platforms and outlined rules for such firms to follow in areas like data, labour rights and fair competition.

The proposed regulations come on the heels of several new regulations targeting the tech industry and data.

In July, regulators investigated ride-hailing firm Didi for what it said was mishandling of data.

The firm, which operated the largest fleet of hire cars in the country, had a massive information trove which included maps and data about the hours kept by government staff. It even produced a graphic showing that the Public Security Bureau had employees hailing rides at all hours.

The probe into Didi is still under way and the firm has not been allowed to sign up new users.

Since then, regulators have issued a number of documents calling for public feedback on several areas, while legislation governing personal data will go into effect next Monday.

Last month, the Ministry of Industry and Information Technology (MIIT) published draft rules aimed at bolstering its new data security law, including definitions of what it considered "core" and "important" data, for which cross-border transfers must receive approval.

In July, the CAC solicited feedback for a law that said firms with more than one million users have to apply for permission before listing overseas - a low bar that will essentially extend to practically all tech firms with foreign IPO ambitions.

More importantly, the document listed seven factors for approving foreign listings.

These include risk of supply disruptions due to political, diplomatic or trade reasons; risk of misappropriation of core data; and risk of data being influenced, controlled or maliciously used by foreign governments.

China has in the past governed personal data privacy with a fairly light hand. But regulators are now framing the issue as one of national security, amid a strategic rivalry with the United States that is rapidly heating up.

The MIIT had earlier drawn up a three-year action plan to develop the country's cyber-security industry, estimating it to be worth 250 billion yuan ($52 billion) by 2023.

Join ST's Telegram channel and get the latest breaking news delivered to you.