Risk Management

China draft cyber law mandates security assessment for outbound data

April 11, 2017 Reprints

China Cyber Risks More + Less -

China draft cyber law mandates security assessment for outbound data

(Reuters) — China’s top cyber authority on Tuesday released a draft law that would require firms exporting data to undergo an annual security assessment, in the latest of several recent safeguards against threats such as hacking and terrorism.

Any business transferring data of over 1,000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China.

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

It is also an extension of legislation passed in November formalizing a range of controls over firms that handle data in industries the government deems critical to national interests.

Business groups have criticized the November law, which is effective from June, calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.

Chinese officials denied that the November law targets foreign firms.

Under the rules released on Tuesday, sensitive geographic data such as information on marine environments would also be subject to scrutiny. Destination countries and the likelihood of oversees tampering would also be factored in to any assessments.

The draft is open for public comment until May 11.