China considers 19-month grace period before enforcing cross-border data transfer rules


🔊 Podcast

Listen to MLex Correspondent Xu Yuan discuss China's new Cybersecurity Law (due to come into effect on Thursday June 1 2017) and what it means for companies doing business in China.


22 May 2017. By Xu Yuan.

China is considering a 19-month grace period before it fully implements its cross-border data transfer rules, MLex has learned.

The rules on cross-border data transfers will take effect on June 1 and cross-border data transfers by network operators must comply with the requirements in those rules from Dec. 31, 2018, according to a copy of a revised draft of "Measures for Conducting Security Reviews for Cross-Border Transfers of Personal Information and Important Data," seen by MLex.

The revised draft of the measures was circulated for discussion at a meeting convened by the Cyberspace Administration of China, the country's Internet regulator, last Friday. Participants at the meeting included representatives of foreign technology companies.

One article that has been of particular concern to foreign businesses remains unchanged.

Article 2 of the measures requires all network operators to conduct security reviews before they send any data abroad. That stipulation is not in line with the more overarching Cybersecurity Law, which requires operators of critical information infrastructure to conduct such reviews only before sending data out.

The revised draft removes one article which stipulates that security reviews should be conducted by the industry regulator when the data to be transferred abroad amounts to 1,000GB or more.

The draft also removes a requirement that asks the industry regulator to finish security reviews within 60 working days.

It is understood that the revised draft is not yet final.

On April 11, the Cyberspace Administration published a consultation draft of measures for soliciting public comment. The consultation period ended on May 11.

China's Cybersecurity Law and related implementation rules have sparked concerns among foreign businesses. Last week, a total of 54 business organizations from countries such as the US, Japan and South Korea submitted a letter to the Cyberspace Administration asking it to delay the implementation of the law, which is due to take effect on June 1.

The organizations argued that provisions in the Cybersecurity Law and related measures would "add costly burdens, restrict competition and may decrease the security of products and jeopardize the privacy of Chinese citizens."

Privacy report