This article is co-authored by Stephen Claeys and Shawn Chang of the Telecom, Media, & Technology practice.
Proposed Chinese regulations (open in Google Chrome for English translation) could substantially limit the ability of companies in China from sending data outside of that country. If implemented, the regulations would potentially affect almost any type of business or data flow.
The regulations are to implement China’s wide-ranging Cybersecurity Law, which goes into effect on June 1. This law already raised concerns due to its new security review requirements for data sent outside of China and a broadened scope for information that must be kept inside of China, among other troublesome provisions.
The proposed regulations increase these concerns because it vaguely defines the data subject to security review, such as data that could impact “national security and social public interests” that suggests that the Chinese government in some situations could have the ability to review any data sent overseas. In addition, the regulations’ definition of companies subject to the national security review and server localization requirements is also vague. Almost any company that uses telecommunications or Internet services could be subject to the regulation, including if the data flows are within a company.
Comments on the draft regulations are due by May 11. However, an effective effort to meaningfully change the regulations would likely require a broad strategy involving not only business interests but also government-led responses.