- The Chinese government perceives data as closely linked to economic development and national security. The State Council included data as a factor of production in a 2020 policy and, in 2021, both the MIIT and the Cyberspace Administration of China reaffirmed that data is a “strategic resource” in their policies.
- This view on data is likely to make large sections of cross-border transfer of data a matter of national security with direct ramifications on the globally integrated IT systems of MNCs. First steps have been taken in the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law (PIPL), but implementation has remained vague.
- Three newly published regulations answer directly to three cross-border mechanisms introduced in the PIPL- security assessment, 3rd-party certification, and standard contract.
- The Security Assessment Measures specify the security procedures for companies that are CIIOs and that handle important data or a large volume of personal information, entering into force on 09/01, with a 6-month grace period.
- TheProvisions on Standard Contracts for Cross-border PI Transfer, a draft currently seeking comments, introduces an approach for non-CIIOs that doesn’t require third-party reviews and therefore will likely be predominantly used by companies.
- Companies need to review their current cross-border data transfer work streams and assess which mechanism they need to follow. Overall, however, will the tightened control over data transfers (and the increasing compliance cost that come with it) likely push more companies to consider storing their data inside the country.
Sinolytics is a European consulting and analysis company specializing in China. It advises European companies on their strategic orientation and concrete business activities in the People’s Republic.