China Eases Deadline Pressure for Multinationals’ Compliance With Data Security Rules

March 2, 2023 by

Chinese regulators have eased some deadline pressure on multinational companies struggling to comply with new rules requiring them to seek approval to export user data, according to lawyers advising clients on the matter.

In theory, global companies operating in China had until Wednesday, March 1 to submit extensive documentation that maps out their users’ data flow as well as complete a security review and gain government approval.

But the extensive disclosure required and repeated back-and-forth over issues such as documentation made the target date unattainable for many, the lawyers said.

In practice, companies now need to have only submitted an application containing documents on user data and flow by Wednesday, rather than have completed a whole security review, said Carolyn Bigg, a partner at international law firm DLA Piper.

The rules were introduced in September by the Cyberspace Administration of China (CAC) to strengthen cyber and national security.

They apply to firms with more than a million Chinese citizens as users, those seeking to export “important data,” those handling the personal information of more than 100,000 Chinese individuals, and those with the “sensitive” personal data of more than 10,000 people.

The issue affects a wide range of global companies that need to share Chinese user data with overseas offices and how strictly data security is enforced in the future will determine how far businesses may have to go in “localizing” their data.

Ling Jin, head of digital and commercial services at Lusheng Law firm, said regulators had made a “compromise” in not strictly enforcing the deadline as they were also under pressure to restore confidence in the economy among multinationals.

“Their attitude has become a lot more practical,” she said.

It was not immediately clear if regulators would be setting a new deadline for the whole process to be completed. The CAC did not respond to a Reuters request for comment.

The regulator’s Beijing arm said last week that companies including Inc., Samsung Electronics, JPMorgan Chase & Co., Toyota Motor Corp., Volkswagen and Xiaomi have submitted documents for regulatory approval.

But the approval process has been slow, with authorities so far only disclosing approvals for two entities – Beijing Friendship Hospital and Air China.

Jin said companies must receive approval from local as well as national regulators.

In a typical case, she said, to win the nod at the local level, a company needs to prepare a 180-page document mapping out the data flow of its users. Then on the national level, the company needs to justify why certain data must leave China.

“For the regulators, this is also new to them,” she said, “They have to learn on the go.”

The CAC on Friday also issued separate data security rules that apply to organizations with smaller user bases.

(Reporting by Josh Ye; editing by Anne Marie Roantree and Edwina Gibbs)

Photograph: A Chinese tourist peeks inside a red door of the Palace Museum inside the Forbidden City, which was the Chinese imperial palace from the mid-Ming Dynasty to the end of the Qing Dynasty, on May 18, 2011 in Beijing, China. Photo credit: Feng Li/Getty Images.