China eases rules for some data exports

China’s cyberspace regulator relaxes data export rules, easing compliance for foreign firms in China. Data from international trade and cross-border transport without personal or “important data” won’t require declaration.

 Blackboard, China Flag, Flag

China’s cyberspace regulatory body has unveiled more lenient regulations concerning the international transfer of data, aiming to simplify adherence for foreign enterprises operating within China. The Cyberspace Administration of China has specified that data stemming from international trade and cross-border transport, lacking any personal or deemed “important” data, will not necessitate formal declaration. Nonetheless, uncertainties persist regarding the definition of “important data.”

These newly enacted rules, effective immediately, expand upon last September’s proposals for relaxing data export regulations, bringing relief to both foreign and domestic companies. Furthermore, these regulations introduce a “negative list system” within free trade pilot zones, granting them the autonomy to identify data necessitating security evaluations.

According to Reuters, Shanghai is actively streamlining the approval process for foreign companies seeking to transfer local data offshore via its free trade zones. Additionally, the validity period for data export security assessment outcomes has been extended to three years, accompanied by adjustments in the conditions for declaring such activities. Achieving clarity in data classification remains crucial for enterprises navigating China’s ever-evolving regulatory framework.

Why does this matter?

This move signifies a shift in China’s approach to regulating data export, impacting both foreign and domestic companies operating within its borders. By relaxing rules, China aims to facilitate cross-border data flow, reducing compliance burdens for businesses engaged in international trade and cross-border activities. Additionally, the introduction of a “negative list system” for free trade zones indicates a move towards greater autonomy in data security assessments, potentially fostering a more business-friendly environment.