China’s internet regulator issued draft guidelines for cross-border data transfers yesterday, requiring companies to undergo compulsory security reviews before transferring data containing personal information—including ID numbers, addresses, and phone numbers—to overseas servers.
Network operators are required to report to provincial-level internet regulators and apply for security reviews every two years. They must also keep a record of cross-border data transfers for at least five years.
The security review will look at whether cross-board data transfers that are taking place are in accordance with relevant laws and regulations, and whether the the rights of individuals using these services are protected. Regulators will also weigh whether the contracts can be effectively enforced, the integrity of the data collection process, as well as each network operator’s history in terms of cybersecurity and privacy violations.
The evaluation process is expected to take 15 working days upon receiving company applications.
The Cyberspace Administration of China, China’s internet regulator, is soliciting public feedback on the draft until July 13.