China‘s Cyberspace Administration recently introduced updated rules aimed at streamlining and regulating cross-border data flow, particularly focusing on enhancing reporting standards for security assessments of significant data exports. The guidelines specify that data collected during international trade and cross-border activities that do not comprise personal or “important data” will be exempt from declaration requirements. This regulatory adjustment is perceived as a positive development for foreign entities operating in China. Tom Nunlist from Trivium China emphasized that while these changes reduce the compliance burden for many foreign companies, those involved in sensitive sectors must still address concerns around handling “important data.”
The amended rules, which came into effect recently, signify a refinement of the initial data export regulations issued in September, offering assurance to both foreign and Chinese companies engaged in international trade activities. In response to increased scrutiny over data handling within China’s borders due to national security priorities, these recent adjustments aim to alleviate uncertainties and facilitate smoother cross-border data transactions. Despite this progress, industry stakeholders have stressed the necessity for clearer definitions of “important data,” which currently encompass information deemed detrimental to national and economic interests or individual and organizational rights. The establishment of a “negative list system” within free trade pilot zones highlights a tailored approach to defining critical data sets subjected to security assessments.
Reuters’ disclosure in February regarding Shanghai’s intentions to expedite approvals for foreign entities relocating local data abroad via free trade zones corresponds with China’s broader initiative to streamline data export processes. The newly introduced regulations also feature revised criteria for activities requiring data export security assessments, extending the validity of assessment results from two to three years. This extension aims to accommodate the evolving data landscape and enhance the efficiency of data governance practices within the country.
