American Firms Race to Meet China’s Data Rule Deadline, Mar. 1, 2023.
Amazon and JPMorgan among dozens of entities to have sought approval to export data from China
Multinational companies doing business in China raced to submit their data practices for Beijing’s review ahead of a Wednesday deadline as the country seeks to identify national security and cybersecurity risks from the increasingly global flow of data.
In September, Beijing gave companies operating in China six months to seek approval before allowing some locally-generated data to be exported outside its borders, part of a broader tightening of data security as geopolitical tensions rise between China and the West.
That mandate set off a costly rush among companies to scrutinize their data-handling methods. Beijing’s internet regulator said last week that 48 foreign and domestic entities, including Amazon.com Inc., JPMorgan Chase & Co. and Volkswagen AG, have filed for government reviews. Some 140 companies including Apple Inc. and Siemens AG were preparing documents, the agency said.
JPMorgan declined to comment, while the others didn’t respond to requests for comments.
Over the past six years, Beijing has built up a data-governance system to shore up controls over how it handles the increasing reams of information made available by technology, especially those that it considers critical to national security. The regulatory regime has increased compliance costs for businesses and is pushing more multinationals to store data locally and adjust business practices, legal experts say.
“Inevitably, it forces global companies to decouple certain products brought to market in China from their global product offerings,” said Matthew Margulies, a senior vice president at the U.S.-China Business Council. “In some instances, companies won’t bring some of their latest technology to China because the data environment is too complex and costly.”
The country’s main internet regulator, the Cyberspace Administration of China, didn’t respond to a request for comment.
According to the September rule, “critical information infrastructure operators”—companies processing data for industries such as telecommunications, defense, energy and finance—must pass a security review by the internet regulator before they can transfer users’ personal data abroad.
Entities that are required to go through such reviews also include those handling the data of one million people or more, as well as those that have been transferring personal data abroad of at least 100,000 people or sensitive personal information of 10,000 people or more.
The broad scope of the regulations means that whole industries, such as airlines and banks, both Chinese and foreign, are affected by the rules, since they share sensitive data on their customers with overseas counterparts to operate international trips and conduct transactions.
The Montreal-based International Air Transport Association is among the industry associations and legal practitioners that have argued the thresholds are too low and create burdensome reporting obligations.
The low threshold means that “most, if not all, airlines operating in China will need to perform the security assessment and obtain the necessary approvals,” IATA spokesman Albert Tjoeng said, calling the compliance onerous and time intensive.
IATA, which participated in the consultation process and appeared to have some of its recommendations adopted, has called on Chinese regulators to extend the deadline and consider the specific challenges facing the aviation industry.
The September regulation didn’t say what the penalty would be for companies that don’t submit their practices for review by Wednesday.
Air China Ltd. was among the first applicants to have received Chinese regulatory approval for its cross-border data transfer practices. By giving priority to the review and approval of Air China’s application, Beijing intended to establish a model for the sector and to send the message that the audit wouldn’t be an insurmountable obstacle for the industry, people familiar with the review said.
Other travel operators, such as state-owned aviation system provider TravelSky Technology Ltd. and online travel platforms Trip.com Group and Alibaba Group Holding Ltd.’s Fliggy, have also filed for government checks, people familiar with the companies said. Trip.com Group declined to comment. Alibaba and TravelSky didn’t respond to requests for comment.
Foreign multinationals are among the biggest employers in China. They typically store data about their employees outside the country and allow access to the data from overseas, making them subject to the new rule.
Transfers of so-called important data, which Chinese regulators have yet to fully define, also require government approval. Such data can include human genetic information as well as data on public infrastructure and natural resources, or any other data that could otherwise undermine national security, according to official instructions. Regulators of different industries are responsible for laying down their own rules.
In the health sector, for instance, China’s internet regulator was asked to approve, and signed off on, data transfers for an international clinical study by a Chinese hospital and the Netherlands’ Amsterdam University Medical Center.
Beijing has also tightened regulations over data collection by car companies, as vehicles gather more information about drivers and passengers as well as about military and government locations. In 2021, China restricted the use of Tesla Inc. cars by military staff and employees of some state-owned companies, citing national-security concerns.
Auto makers such as Volkswagen and Toyota Motor Corp. have filed for reviews, the local branch of China’s internet regulator said. It isn’t clear whether they applied for transfers of data related to the vehicles, employees or otherwise. Both companies employ tens of thousands of people in China. Volkswagen and Toyota didn’t respond to requests for comment.
Other companies potentially affected include technology firms and foreign retailers, which collect large amounts of user and supplier data to generate business intelligence reports, which can be shared with overseas teams.
Over the past six months, companies seeking to ensure compliance have struggled to figure out how to prepare documents for review, how to map internal data flows and how much detail to include.
One of the most time-consuming tasks is data mapping, to demonstrate in detail how data is transferred and what systems and databases are involved, which can take more than one month to complete, said people involved in the process.
Required disclosures also include information about companies’ overseas technology infrastructure and personnel involved in data transfers, such as internet-protocol addresses of overseas data centers and personal identification numbers, according to official guidance. Some companies were concerned about providing such information to the Chinese government and have been seeking a compromise with regulators, people familiar with the exchanges said.
Tighter oversight over data security and personal-information protection have become a new norm for businesses in China. In July, authorities fined Chinese ride-hailing company Didi Global Inc. $1.2 billion for rules breaches, including some involving data practices. Beijing launched an investigation of Didi days after its blockbuster U.S. initial public offering.