China’s sluggish approval of data exports leaves companies struggling

Stay informed with free updates

China has approved only about a quarter of applications to export data since the introduction of new data security laws, dealing a blow to businesses struggling to navigate a slowing economy and increased tensions between Washington and Beijing.

Under a law that came into force in September 2022, government approval is required for cross-border data transfers by companies with more than 1mn registered users, a low threshold in a country with a population of more than 1bn.

The Cybersecurity Administration of China, the country’s chief internet regulator, has yet to approve thousands of requests from local and international businesses to send data, ranging from personal credit history to online sales records, to their overseas partners, current and former CAC officials said.

Only about one quarter of all applications have been approved, according to one current CAC official, one former CAC official and the head of data security at a Chinese ecommerce company. It is not clear how many applications have been submitted in total. The CAC stopped publishing figures on approvals in May. It did not respond to requests for comment.

While the regulator should, by law, complete a data security review within 57 working days of receiving an application, most companies spend many months waiting for feedback, officials said. The feedback often includes requests for further information.

“Not a single company can complete data security review within the officially suggested timeframe as the CAC would either ask them to correct formatting or submit more materials,” said a CAC official, adding that some companies had to make changes to their applications more than a dozen times to meet regulatory requirements. “The whole process becomes very time consuming,” the official said.

Analysts said the CAC’s struggle to implement data export rules highlights the challenges facing Beijing as it seeks to achieve the conflicting goals of boosting economic growth and strengthening national security.

“Before, it was implicitly understood that growth was sort of prioritised,” said Karman Lucero, a researcher at Yale Law School. “Now the dynamics totally shifted, where folks recognise more explicitly that there is this contradiction between those two goals and increasingly the government is choosing security regardless of what they say.”

Since September 2022, Beijing has required operators of critical information infrastructure, companies handling data deemed crucial for national security and those with access to large volumes of user information to pass a CAC-led security assessment before sending data abroad.

By early May, just two companies in Shanghai, a hub for international trade, had won regulatory approval to transfer data abroad. More than 400 companies had applied for permission in that period, according to the CAC Shanghai branch. Zhejiang province, which also published approvals information, said it had given the go-ahead to two of the 70 data export requests received by May 24.

While Beijing in September 2023 relaxed the law — allowing some data to be sent abroad without review — and more permissions have been granted since then, multiple data security lawyers said it took at least six months for companies to pass a CAC review. “There is a long queue that keeps growing,” said Pang Lipeng, a lawyer at Beijing Celue Law firm, who has worked on data security review cases.

While Chinese law requires a security review of “important data” exports, no definition has been provided. “Some seemingly trivial data may one day become significant along with the development [of] AI technology,” said the CAC official. “All we can do is make decisions on a case-by-case basis.”

At a recent data security conference in eastern China, the head of data security at a leading internet company described a scenario at a peer group, which had to wait six months for clearance to send information related to a dozen middle-level employees abroad.

“A lot of our peers have chosen to lie flat,” said an executive at a leading electric-vehicle manufacturer, referring to the fact many local EV makers had given up hope of passing data security reviews. Some dropped export plans, while others decided to sell overseas without getting data security clearance.

The unpredictable nature of China’s policymaking meant more changes could come, said the CAC official. “It is true we have relaxed a bit,” said the official. “But I can’t guarantee we’ll tighten again [in 2024] in the event of an escalation of US-China tensions.”

This article was originally published by a . Read the Original article here. .