China’s top internet regulator on Friday published draft guidelines that will subject companies with more than one million users in the country to a security review before they can send user-related data abroad.
The Cyberspace Administration of China (CAC) said in a statement that the security review requirement would also be applied to firms if their data is collected and generated by operators of “critical information infrastructure,” or if the data to be sent overseas contains “important” information.
Companies that have already sent abroad, or intend to send abroad, the personal information of more 100,000 users or “sensitive” personal information belonging to 10,000 users, would also be bound by the requirement, it said.
The proposed measures, which are open to public review until Nov 28, come as Beijing tightens its grip on Chinese companies and the vast troves of data they control. It has passed new laws on data security and personal information protection.
In July, the CAC also proposed that companies with more than 1 million users must report to the regulator for a security review before listing shares overseas, just days after suspending the initial public offering of ride-hailing giant Didi Chuxing over alleged data violations.
Last month, China’s industry ministry published draft rules aimed at bolstering its new data security law, including definitions of what it considered “core” and “important” data, for which cross-border transfers must receive approval.
The CAC also detailed on Friday what documents organisations needed to submit, and said that the security review should be completed in most cases within 45 days but under “complicated circumstances”, could require up to 60 days.
A successful security review would have a two-year validity period, but factors such as “changes in the legal environment of the country or region where the overseas receiver is located” could prompt a new review, according to the draft rules.