China Issues Security Review Guidelines for Big Companies Exporting Data

Last updated October 29, 2021

China’s top internet regulatory authority has issued draft guidelines for security regulations affecting companies with over 1 million users. All such companies will have to undergo a security review by the Cyberspace Administration of China (CAC) before they are cleared for sending user data abroad.

These regulations also apply to all "critical information infrastructure" operators and the companies working with them as well as any “important” info for overseas transmission. Also included are companies that have already sent or are planning to send private info of over 100,000 users or "sensitive" info on 10,000 users. The proposed guidelines are open to public review until Nov. 28.

The CAC had suspended the opening public offering made by ride-hailing giant Didi Chuxing (DIDI.N) over alleged data violations. In the same month, it proposed the aforementioned regulations for companies holding the data of at least 1 million customers. Following this, China’s industry ministry published draft rules to enhance its data security laws with a focus on defining “core” and "important" data.

These definitions determine which international data transfers will be subject to government approval. These regulations issued on Friday also detailed documents organizations must submit. It also mentioned the timeline for the complete security review at 45 days or 60 days in case of “complicated circumstances.”

Moreover, data sets that cleared the security review will hold a 2-year validity but still remain subject to “changes in the legal environment of the country or region where the overseas receiver is located.” In such cases, the Chinese government may undertake a new inspection.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: