Stay informed with free updates
Just sign up for Chinese politics and policy myFT Digest — delivered straight to your inbox.
Since the introduction of new data security laws, China has approved only about a quarter of data export applications, a blow to companies struggling with a slowing economy and escalating tensions between the United States and China.
Under a law that went into effect in September 2022, cross-border data transfers by companies with more than 1 million registered users will require government approval, a standard that does not apply to countries with more than 1 billion people. is low.
China’s main internet regulator, the China Cybersecurity Administration, has yet to approve thousands of requests from domestic and foreign companies to send data ranging from personal credit histories to online sales records to overseas partners. said current and former CAC employees.
Only about a quarter of all applications are approved, according to one current CAC official, one former CAC official, and a data security officer at a Chinese e-commerce company. It is not clear how many applications were filed in total. CAC stopped publishing approval figures in May. The company did not respond to requests for comment.
Regulators are required by law to complete a data security review within 57 business days of receiving an application, but most companies spend months waiting for feedback, officials said. . Feedback often includes requests for further information.
“Not a single company will be able to complete their data security review within the officially proposed timeframe as CAC will require them to amend the format or submit additional materials,” a CAC official said, in part of companies had to make changes to their applications for more than a year, it added. Dozens of times to meet regulatory requirements. “The whole process is very time consuming,” the official said.
Analysts said the CAC’s struggle to introduce data export controls highlights the challenges faced by the Chinese government as it seeks to achieve the conflicting goals of promoting economic growth and strengthening national security. .
“Previously, there was an implicit understanding that growth was a priority,” said Kalman Lucero, a researcher at Yale Law School. “Now the dynamics have completely changed, people are more clearly aware of the contradiction between these two goals, and no matter what they say, governments are increasingly choosing security. I am.”
Since September 2022, the Chinese government has required operators of critical information infrastructure, companies that handle data deemed critical to national security, and companies with access to large amounts of user information to require CAC before sending data overseas. Requires the company to pass an sponsored security assessment.
By early May, only two companies in the international trade hub of Shanghai had received regulatory approval to transfer data overseas. According to the CAC Shanghai branch, more than 400 companies applied for permits during this period. Zhejiang Province has also released approval information, announcing that it had given the go-ahead to two out of 70 data export requests received by May 24th.
Although the Chinese government relaxed the law in September 2023 to allow some data to be sent overseas without vetting, and more permissions have been granted since then, multiple data security lawyers say He said it took at least six months for companies to pass the CAC audit. “Long lines continue to grow,” said Pan Lipen, a lawyer at the Beijing Celue law firm who has worked on data security review cases.
Chinese law requires safety reviews for the export of “sensitive data” but does not provide a definition. “Even seemingly trivial data can become important someday as development progresses. [of] It’s AI technology,” said a CAC official. “All we can do is make decisions on a case-by-case basis.”
At a recent data security conference in eastern China, the head of data security at a major internet company said it would take up to six months to get permission to send information related to more than a dozen mid-level employees overseas. I explained the scenario of a peer group having to wait.
“Many of our peers have chosen to remain calm,” said an executive at a major electric vehicle manufacturer, referring to the fact that many local electric vehicle manufacturers have given up hope of passing the data security review. Some companies canceled their export plans, while others decided to sell overseas without obtaining data security permits.
The unpredictable nature of China’s policy-making means further changes are possible, CAC officials said. The official said, “It’s true that he was a little relaxed.” “But I can’t guarantee that it will tighten again.” [in 2024] In case US-China tensions escalate. ”