China has delayed the implementation of cross-border data transfer rules that were set to go into force at the end of 2018, according to a report from the Financial Times.
The cross-border data transfer rules are part of China’s sweeping Cybersecurity Law, which came into effect on June 1, 2017. Regulators, however, had given businesses until December 31, 2018 to comply with the cross-border data transfer components of the law.
According to the Financial Times, China has further delayed the implementation of the rules over concerns that they could trigger a backlash from the US amid trade deal negotiations.
These rules have come under scrutiny from the US and foreign business groups, who fear that sensitive data could be accessed by the Chinese state and that the rules are a de facto protectionist barrier that prevent internet and cloud companies from competing in China.
As China seeks to finalize an agreement with the US, it appears as though the leadership does not want to start enforcing the data localization rules, given how controversial they are.
What is being delayed?
The Cybersecurity Law and associated guidelines and measures put forward strict regulations about what type of data must be stored within mainland China and how data can be transferred abroad.
According to the rules, some data must be stored in servers based in mainland China, and firms must undergo security assessments if they wish to transfer certain data overseas.
These rules apply to “personal data”, which includes identifiable data about individuals and entities, and “important data”, which broadly refers to data related to critical infrastructure and the “public interest”. Important data in particular is subject to strict review from cyberspace and industry regulators.
Besides the expansive authority the law grants to regulators, business groups have also complained that the terms and definitions in the law are overly broad and vague, making it unclear what steps they should take to comply. While these criticisms were partially addressed in guidelines released after the initial Cybersecurity Law, businesses say that they remain unclear.
What are the implications for businesses?
While the cross-border data transfer requirements have reportedly been delayed, businesses should note that the delay is not an official announcement on the public record, but a strategic choice reported in the media amid trade war negotiations.
For businesses, that means they may be given more time to comply with the rules, but there is no publicly available timeframe for when they may begin to be implemented. Accordingly, businesses should continue to act as if the December 31, 2018 deadline is still in place, even if its enforcement may be delayed.
Besides uncertainty about when implementation will begin, the news also brings up the possibility that the content of the rules could be subject to change. The US has reportedly already brought up the Cybersecurity Law in trade negotiations with China, so it is possible that aspects of the law could change as a concession on the Chinese side.
That means that businesses face the uncertainty of both if and when the data transfer rules will be implemented, as well as if the rules themselves may change. Despite this uncertainty, however, it is prudent for businesses to assume that the rules as currently understood could potentially be enforced in the near-term.
China Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in Dalian, Beijing, Shanghai, Guangzhou, Shenzhen, and Hong Kong. Readers may write to firstname.lastname@example.org for more support on doing business in China.