Comments to the Cyberspace Administration of China Regarding Certification of Personal Information Transferred Abroad
Contents
Impact of Data Localization. 5
Introduction and Summary
The Information Technology and Innovation Foundation (ITIF) appreciates the opportunity to comment to the Cyberspace Administration of China (CAC) regarding the draft measures for the certification of personal information transferred abroad.[1] The draft measures make clear the People’s Republic of China (PRC) government’s understandable intent to protect its citizenry’s data, regardless of their global location, and to reinforce data security. However, the draft measures will likely harm both the global and Chinese economies through unintentional consequences by significantly raising compliance costs, making it more difficult for multinational companies in China to conduct business, and creating delays and obstacles to processing and transferring data for China’s digital economy.
CAC Should Reduce Compliance Costs, Ambiguity, and Extraterritorial Regulation for Personal Information Transferred Abroad
CAC states the draft measures will “promote the efficient, convenient and safe cross-border flow of personal information.” This will not be the case for foreign companies with at least a moderate digital presence in China: under the draft measures their current data governance strategies will likely become fragmented, forcing the development of entirely new data governance strategies for their China operations. As a result, the draft measures’ largest impact will likely be to impose additional barriers to global free flow of data and accelerate the ongoing withdrawal of foreign companies’ operations in China, including the recent practice of multinational companies divesting their China-based operations.[2] In order to prevent this, CAC should reconsider several points to make the proposed rule less burdensome for foreign companies, ease the rule’s extraterritorial remit, and decrease the rule’s overall compliance cost for multinational companies.
Compliance Cost
The draft measures present a steep compliance cost for multinational companies conducting business in China. As described in Article 9, multinational companies without a physical presence in China would be required to apply for certification through “specialized institutions established within the territory of China.”[3] Professional certification bodies would then conduct “continuous monitoring” of the companies throughout the entire, unspecified validity period of the certification.[4]
For multinational companies that offer their services to Chinese users but do not have an office in China, such as Shopify, both the application and subsequent monitoring would be difficult to deal with overseas, as these companies would likely be unfamiliar with the cultural and linguistic demands of conducting business in China.[5] A company in this position would additionally need to grant access to sensitive internal processes and data to a potentially state-affiliated institution, over which it would have little control or visibility. This would introduce significant risks, including data leakage and misalignment with the company’s operational and compliance standards.
CAC’s blog that accompanies the draft measures makes it clear that a secondary goal of the draft measures is to further regulate the outbound data certification services industry, which CAC critiques as “lack[ing] supervision and guidance.”[6] This, coupled with the extensive stipulations of becoming a CAC-registered professional certification body, as explained in the draft measures’ Article 8, make it unlikely that a multinational companies would be approved for this role.[7] This is further unlikely when coupled with the PRC’s audits, fines, and scrutiny toward foreign due diligence companies operating in China in recent years.[8]
Despite those impediments, CAC should approve foreign due diligence companies to become CAC-registered certification bodies and allow multinational companies to use them as their professional certification bodies to ease their compliance costs. Allowing foreign due diligence companies to certify compliance with the PRC’s 2021 Personal Information Protection Law (PIPL) and other PRC regulation would enable multinational companies to use a single provider to certify a variety of global data protection standards. Such a measure would also signal the PRC’s adherence to global business standards and boost its efforts to attract foreign direct investment.[9] Additionally, such a measure would dovetail with the PRC’s 2024 pilot program to allow fully foreign-owned and operated data centers and other data infrastructure in China.[10] CAC should consider easing these restrictions for further buy-in to the draft measures’ proposals for multinational companies.
Lack of Clarification
The accompanying blog post to the draft measures states that the proposed regulation demonstrates China’s “inclusive and open attitude towards international cooperation in cross-border data,” but in their current state, the measures are far too vague and lack cohesion with international standards.[11] CAC should clarify aspects of the rule and offer guidance on how the draft measures and the PIPL’s definitions map to other global data frameworks’ definitions such as those in the Global Cross-Border Privacy Rules Declaration (CBPR). Such clarification would support the PRC’s goal of maintaining a competitive international business environment that a full range of stakeholders can comply with.
For example, the draft measures mention—but deliberately exclude—an explanation of how the CAC would regulate the category of “important data,” which likely refers to data “concerning national security, lifelines of the national economy, important aspects of people’s lives, [and] major public interests” as defined in the PRC’s 2021 Data Security Law.[12] The broadness of this category and the vagueness of its different components present further issues for China’s business environment.
Using an example to demonstrate the difficulty of compliance with the draft measures and this specific definition, a multinational pharmaceutical company operates in China and successfully obtains certification for the protection of personal information exported abroad. The company conducts a clinical trial in China and finalizes a dataset based on the trial, which it plans to send back to its headquarters in the United States for analysis. The dataset includes personal information, such as the names of subjects in the trial, and potentially also includes sensitive personal information, such as the subjects’ medical histories, so the draft measures’ certification applies. However, if the company chooses to export the dataset abroad, they will have to consider whether the dataset, if aggregated and analyzed, could reveal health trends across China that could be relevant to the PRC’s national security. If relevant, the dataset would also technically include important data, and the company could be subject to stricter regulation.
While the draft measures make clear which data fall in and outside the certification framework, they fail to make clear how these definitions would be administered in the regulatory process. Due to the ambiguities pointed out in this example, companies may be deliberately cautious in processing data in China, ultimately slowing operations.
To increase the ease of conducting business in China and ensure international businesses can align their practices with PRC law, the CAC should: 1) clarify the definition of “important data” and how it relates to the draft measures; and 2) map the draft measures to other international data standards like the CBPR. Through clarification on these points, CAC can reduce friction for multinational companies in China and support the PRC’s economic development.
Extraterritorial Nature
The draft measures are highly extraterritorial in their scope of personal information transferred abroad. This creates two issues. First, the draft measures might implicate and penalize scores of companies that did not intentionally target the data collection of Chinese nationals. Second, they risk distorting market conditions by unintentionally influencing consumer brand preferences.
According to the PIPL, personal information transfer across borders “includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.” These different types of data processing are common among social media, e-commerce, cloud, fintech, and many more online service providers. Based on this wide jurisdiction, the draft measures will apply to many multinational companies that involve at least a moderate amount of data processing.
These multinationals include companies with unblocked services in China, such as Airbnb, as well as companies that operate in China through partnerships with local organizations, such as Zoom. However, the draft measures would also apply to companies whose online services are blocked in China, such as Google. Chinese nationals might still access these companies using virtual private networks. For these companies, many of which may not physically operate in China, the draft measures could be particularly burdensome. Despite not expressly targeting Chinese nationals’ personal information in the first place and facing a block on their services from the Chinese government, these companies could still be found in violation of the PIPL. There is a chance that this circumstance could occur without the company’s knowledge in the first place, if the company is not aware that they must certify their data flows and proceed with their business as usual while failing to consider that PRC data protection laws apply. A company might unknowingly process Chinese nationals’ data abroad and as a result, face penalties for non-compliance.
Such companies might not be exposed to the same risk that companies with an established presence in China found non-compliant would be, but government scrutiny could harm their reputation and brand. Furthermore, companies that successfully apply for and are granted data transfer certification might gain trust with Chinese customers. Companies that do not explicitly target Chinese users, but the draft measures apply to, may have to weigh the potential benefits and drawbacks to either apply for certification or proactively change their data processing activities to explicitly avoid regulation.
This extraterritoriality risks making multinational companies warier of having Chinese nationals—whether located in China or abroad—access their services. This could have macroeconomic and geopolitical repercussions. Chinese nationals living abroad might face difficulties in accessing work, research, and communication online services, creating inefficiencies for China’s economy to operate globally.
CAC should strongly consider narrowing the scope of the draft measures to only focus on companies with both a physical presence in China and with full legal authorization to operate on China’s Internet. Alternatively, CAC could offer an exception to companies that do not have a deliberate intent to target Chinese users of their platforms that would typically make those companies subject to the PIPL.
Impact of Data Localization
Barriers that make transferring data overseas more expensive and time-consuming create significant costs for both the global economy and the economies of the countries that enact these barriers.[13] Data localization reduces trade, harms productivity, and increases prices.[14] While the CAC-proposed draft measures focus more on certifying data flows than mandating data localization, the proposed regulation will likely increase data localization: a June 2022 McKinsey report identified data localization as a popular market-based strategic decision multinational companies will make in response to geographic restrictions on data exports.[15] Indeed, the GDPR, which imposes a number of territorial restrictions on where European Union users’ data can be transferred, has increased data localization practices for companies operating in Europe.[16]
Despite ongoing tensions and competition between China and the United States, a huge amount of data still flows between the two countries’ digital economies, not only for trade purposes and multinational companies’ cross-border operations, but also in research, as evidenced by the recently-extended U.S.-PRC Science and Technology Agreement.[17] The draft measures, along with the PIPL that they attempt to implement, threaten to stifle this collaboration through a shift towards data localization, further fragmenting and isolating the international business and innovation environment.
Conclusion
The draft measures’ vague definitions, extraterritorial reach, and steep compliance costs create substantial barriers for multinational companies. Without any changes, these rules risk accelerating the withdrawal of foreign companies from China. By streamlining compliance costs, clarifying definitions, and easing the extraterritorial scope of the legislation, CAC can foster a more business-friendly environment while still ensuring data security for personal information.
Thank you for your consideration.
Endnotes
[1]. Cyberspace Administration of China, “Notice of the Cyberspace Administration of China on Soliciting Public Opinions on the Draft Measures for the Certification of the Protection of Personal Information Transferred Abroad,” public notice, January 3, 2025, https://www.cac.gov.cn/2025-01/03/c_1737600915141373.htm.
[2]. Chi Hung Kwan, “Foreign Companies' Accelerated Withdrawal from China - A Catalyst for Global Business Restructuring,” (RIETI, October 2024), https://www.rieti.go.jp/en/china/24101601.html.
[3]. Cyberspace Administration of China, “Notice of the Cyberspace Administration of China on Soliciting Public Opinions on the Draft Measures for the Certification of the Protection of Personal Information Transferred Abroad,” public notice, January 3, 2025, https://www.cac.gov.cn/2025-01/03/c_1737600915141373.htm.
[4]. Ibid.
[5]. Shopify Headquarters and Office Locations, Shopify, accessed January 21, 2025, https://craft.co/shopify/locations.
[6]. Zhenhuan Guo and Songhao Jiang, “Expert interpretation: Establish a personal information outbound personal information protection certification system to ensure the safe and orderly cross-border flow of personal information” (Cyberspace Administration of China, January 2025), https://www.cac.gov.cn/2025-01/03/c_1737601178285111.htm.
[7]. Cyberspace Administration of China, “Notice of the Cyberspace Administration of China on Soliciting Public Opinions on the Draft Measures for the Certification of the Protection of Personal Information Transferred Abroad,” public notice, January 3, 2025, https://www.cac.gov.cn/2025-01/03/c_1737600915141373.htm.
[8]. Christian Shepherd, “China raids another global business consultancy, cites spying concerns,” May 9, 2023, https://washingtonpost.com/world/2023/05/09/china-raid-capvision-bain-business/.
[9]. State Council of the People's Republic of China, “The State Council's decision to further optimize the foreign investment environment: opinions on increasing efforts to attract foreign investment,” August 13, 2023, https://www.gov.cn/zhengce/content/202308/content_6898048.htm.
[10]. Ministry of Industry and Information Technology of the People’s Republic of China, “The pilot program of expanding the opening-up of value-added telecommunications services has officially started,” October 23, 2024, https://www.miit.gov.cn/xwfb/bldhd/art/2024/art_82129a3d7d5046a7a2bf531b3d3dcfd9.html.
[11]. Zhenhuan Guo and Songhao Jiang, “Expert interpretation: Establish a personal information outbound personal information protection certification system to ensure the safe and orderly cross-border flow of personal information” (Cyberspace Administration of China, January 2025), https://www.cac.gov.cn/2025-01/03/c_1737601178285111.htm.
[12]. The National People’s Congress of the People’s Republic of China, “Data Security Law of the People's Republic of China,” June 10, 2021, http://www.npc.gov.cn/englishnpc/c2759/c23934/202112/t20211209_385109.html.
[13]. Nigel Cory, “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?” (ITIF, May 2017), https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost/.
[14]. Nigel Cory and Luke Dascoli, How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them (ITIF, July 2021), https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost/.
[15]. Satyajit Parekh, Stephen Reddin, Kayvaun Rowshankish, Henning Soller, and Malin Strandell-Jansson, “Localization of data privacy regulations creates competitive opportunities” (McKinsey, June 2022), https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/localization-of-data-privacy-regulations-creates-competitive-opportunities.
[16]. Nigel Cory, “How ‘Schrems II’ Has Accelerated Europe’s Slide Toward a De Facto Data Localization Regime” (ITIF, July 2021), https://itif.org/publications/2021/07/08/how-schrems-ii-has-accelerated-europes-slide-toward-de-facto-data/.
[17]. U.S. Department of State, “Amendment and Extension of the U.S.-PRC Science and Technology Agreement (STA),” media note, December 13, 2024, https://www.state.gov/amendment-and-extension-of-the-u-s-prc-science-and-technology-agreement-sta/.
