China’s policymakers have long grappled with a data and cybersecurity policy conundrum: how to balance government control without torpedoing business sentiment. To date, the pro-control camp has prevailed, ensuring that China’s policymakers treat its cyberspace as comparable to physical territory, with increasingly restrictive controls as (perceived) data risk to national security increases. At the same time, policymakers have touted the power of data as a new engine of economic growth.
This muddled approach – presenting data as both a needed means of economic development and something that must be reviewed and controlled – creates operational challenges for foreign and domestic companies alike. For foreign businesses, this creates enforcement uncertainty and regulatory ambiguity, which threatens routine processes like cross-border data transfer, data storage practices, and more broadly, the stability of their data governance practices.
Rolling Back Data Controls
In recent months, China’s commitment to a national-security-based approach to data has been put to the test. Foreign business sentiment is at an all-time low, as evidenced by negative 2023 foreign direct investment data for the first time in 15 years. Domestically, consumer spending and investment fell far short of post-COVID expectations, as cautious citizens opt to save rather than splurge. In response, policymakers clearly want to demonstrate that efforts to improve the business environment are genuine.
China’s data policy was creating business anxiety and proving challenging for China’s bureaucracy to implement. Draft regulations released in September 2023 addressed some of the biggest areas of concern for multinationals, including cross-border transfer restrictions, data location, and regulatory ambiguity. Following the customary comment period, foreign investors were forced to wait and speculate as to how much of the draft would remain the same when finalized and implemented.
The period between the release of the draft regulation and implementation of the final version proved eventful, featuring several high-profile events that have influenced China-U.S. relations. These include the summit between the Chinese and U.S. presidents in San Francisco, two different high-profile economic policy meetings to direct 2024 goals, and Taiwan’s presidential election.
On March 22, the Cyberspace Administration of China (CAC), China’s data watchdog, published the final draft of the cross-border regulation. The CAC approved the provisions on November 28, 2023, but did not publicly release the draft until March 22, 2024. This four-month delay was likely intended to coincide with China’s annual China Development Forum, a high-profile trade show designed to court foreign investment.
The final draft closely aligns with the previous draft. It reduces the burden of review for businesses, lessens existing regulatory ambiguity, and empowers free trade zones to experiment with other policy approaches.
The new cross-border rules significantly relax volume-based requirements, removing requirements to review data prior to transfer for processors dealing with under 10,000 “sensitive” personal information records, or under 1 million non-sensitive personal records. Past regulations imposed low volume thresholds that subjected most businesses, both foreign and domestic, to government oversight and review prior to overseas transfer of data. In another boon for foreign businesses, data related to e-commerce, HR operations, remittances, air ticket purchases, hotel bookings and visa processing are now exempt from government review.
The new CAC regulations also reduce the types of data categorized as “important.” The term “important data” is a longstanding and puzzling quirk of China’s approach to data policy. “Important data” is subject to the most stringent transfer, management, and storage requirements. However, “important data” is a term that has long (and still) remains undefined within current regulations. While businesses at present don’t have a working definition of the term, the regulations state that unless government officials explicitly define a data type as important, it is not understood to be so.
For businesses that do have to undergo data transfer security assessments, these assessments will now be valid for three years and will be easier to renew. Previous regulation specified that such assessments were only valid for two years. The new provisions streamline the process to renew security assessments by reducing documentation requirements.
In addition, the new rules increase the power to experiment within free trade zones. Free trade zones, long used as China’s policy experimentation sandbox, will now be allowed to rollback additional data transfer restrictions. These provisions establish a “negative list” approach, a process that exempts all data types not included on the official list from government assessment.
What’s Next?
The new regulations provide clarity and relax current data transfer standards. These changes will save businesses across industries time and money. However, these revised regulations leave China’s fundamental data policy pro-business vs. pro-control conundrum unresolved by reducing compliance requirements for businesses while continuing to allow the Chinese government to change key definitions (namely, what is defined as “important data”) in real time. This reality creates space for politically motivated data transfer reviews, a nightmare scenario for an American business should China-U.S. relations suddenly deteriorate.
Internal policy debate further complicates the tension in China’s approach to data policy, with different actors advocating for contrasting approaches. Three key players, in addition to sector specific regulators, are jockeying for position.
On the pro-business side is the Ministry of Commerce, whose mandate to increase commerce makes it more sympathetic to business community needs, especially as China is desperate to reverse low foreign direct investment numbers.
Debate within the Cyberspace Administration of China is intensified by its dual mandate, as it’s tasked with drafting and enforcement as well as catalyzing digital development.
Finally, the Ministry of State Security, China’s secret police and intelligence agency, is the third major player, an agency actively looking to control all data collected in China. This ministry targets a broader set of data (including for example, geographic information) that, it argues, falls within protected state secrets.
These three governmental agencies compete for influence and decision-making power. Which agency will exert dominance in the event of increased China-U.S. friction will depend in part on China’s changing priorities and economic strength.