New draft guidelines released by the agency in charge of China's information infrastructure make it possible for Beijing to restrict US companies from cross-border data transfers if they threaten to "impact national security, damage public interest or [are] not fully secured."
If passed, the new regulations, published by the Cyberspace Administration of China, the country's powerful internet regulator, may restrict US companies from doing business in the country and thus, according to data security resource CPO Magazine, "represent a clear tit-for-tat in the escalating trade and cyber war between the US and China."
A summary of the rules published by the Global Times on Thursday specifies that network operators are required to assess personal data, "including ID, address and phone number" information before it is sent outside the country, and prevent this from happening if doing so might pose a threat to the protection of personal information, national security and China's "national cyberspace sovereignty."
"Internet operators need to set up a file on the cross-border data transfer and keep it for at least 5 years, including identif[ication] of overseas receivers and the sensitivity of [the] personal information. They need to report annually to provincial-level cyberspace departments," the Global Times summary of the draft added.
According to CPO Magazine, the draft of the new rules, which remains open to public feedback until 13 July, "might expose US tech firms to greater scrutiny under 'national security' grounds if they plan to do business in the Chinese market."
It remains unclear at this point what penalties may be applied if a foreign tech company were to be found in violation of the new rules. However, Nick Marro, a Hong Kong-based analyst with The Economist Intelligence Unit, told the South China Morning Post that the draft may already be causing headaches for foreign companies.
"For example, if you are sending salary information, health information on your Chinese employees to your global database to get a sense of your company's diversity, then you will need to understand how this regulation will unfold," he said.
Companies providing services to consumers may be similarly affected if they want to send information about Chinese customers to a team outside China, Marro added.
The latest potential modifications to Chinese cybersecurity regulations are not the first time changes have been made since the trade conflict between China and the US began escalating in 2018. Last month, The Global Times speculated that an earlier amendment to China's cybersecurity rules which required companies connected to key information infrastructure to face regular cybersecurity reviews by regulators may have served as a form of "retaliation" to the Trump administration's crackdown on Huawei on similar 'national security' grounds.
In recent weeks, US consumer-oriented tech giants including Google, Apple, Microsoft, as well as Broadcom, Intel, Qualcomm, Xilinx, Western Digital and others suspended their business with Huawei, as per US regulations restricting permissible commerce with the company and dozens of its foreign subsidiaries and affiliates under Export Administration Regulations.
On Wednesday, Huawei released a memo protesting the US' attempts to throttle it, alleging that it was being targeted 'simply for being Chinese'. US intelligence agencies had previously accused the company of putting 'backdoor' access tools into its devices, enabling the Chinese government to spy on users. Huawei has repeatedly denied this.