China is delaying the release of a controversial measure that would restrict foreign companies from taking certain data out of the country, as US-China trade talks reach a critical stage.
Beijing had planned to announce regulations restricting cross-border data transfers by the end of last year, but regulators have dragged their feet to avoid sparking another confrontation with US companies, according to two people familiar with the process.
Multinationals fear that a vague requirement to keep “important data” within China could force a costly restructuring of the way they store data in the cloud.
“Some multinationals are onshoring their data already, while some are waiting and seeing,” said Carly Ramsey, associate director of Control Risks, a consultancy in Shanghai. “It’s an internal organisation issue, which is costly.”
Financial services firms, for example, often move data out of China in order to fulfil “know your customer” laws in other jurisdictions, or to run data analysis to find patterns associated with fraud.
Under the new regulations, some companies may have to “localise” such global data analytics processes in China, bringing proprietary software and possibly even personnel into the country.
“Everyone was worried about the vagueness of the definition of ‘important data,’” said a Beijing-based lawyer who asked not to be named, who added that even companies that are taking action cannot be certain they will be compliant. “This is something you can’t spend money to resolve, if you don’t know what the regulators want.”
Under draft measures released two years ago, “important data” was broadly defined as data related to “economic development” and “public interest”.
The draft regulations require companies to keep such data in China. If they can prove the need to transfer data out, then they must either carry out a “security assessment” or — if the data are especially sensitive — bring in local regulators to make an assessment.
The demand to keep data within China is part of a general push for companies to localise their tech procurement to China. Beijing has claimed its new tech regulations improve cyber security.
But lawyers say the measures also have the protectionist effect of making companies buy local services.
“While the data localisation rules have still not yet been finalised, authorities’ increased enforcement focus is creating effective pressure on international businesses to consider onshore solutions,” said Carolyn Bigg, a lawyer at DLA Piper in Hong Kong.
Under the rules, she added, companies would have to source their data storage, hosting of systems and technology procurement, including local encryption, within China.
If companies had to “onshore” their data to China, they would also have to buy cloud data services from local companies. In recent years regulators have tightened restrictions on cloud providers, ensuring that only licensed Chinese-owned companies can sell such services. As a result, Amazon sold part of its China-based cloud equipment to its local partner Beijing Sinnet Technology.
The Cyberspace Administration of China did not respond to a request for comment.