China’s Data Exodus Nightmare: A Quarter of Applications Approved as Businesses Drown in Regulatory Quagmire

101

China’s labyrinthine data security regulations have ensnared businesses in a bureaucratic nightmare, with only a mere 25% of applications to export data receiving the elusive nod from the Cybersecurity Administration of China (CAC). The ordeal, unleashed by new data security laws in September 2022, has left enterprises gasping for breath as they attempt to navigate a complex maze of government approvals, dealing a severe blow to economic prospects.

Under the draconian law, companies with more than 1 million registered users must seek government approval for cross-border data transfers. A seemingly straightforward process, it has metamorphosed into a Herculean task, leaving businesses teetering on the edge of despair.

The once-imposing threshold, designed to safeguard national interests, has become an insurmountable obstacle for both local and international businesses. Sources within the CAC reveal that an abysmal 25% of all applications have received approval, plunging the majority into an abyss of uncertainty.

The CAC, China’s chief internet regulator, has been ominously silent about the total number of applications, leaving the business community in the dark about the scale of the crisis. The regulator ceased publishing approval figures in May, further shrouding the process in mystery.

While the law stipulates a 57-working-day timeframe for a data security review, companies find themselves entangled in a bureaucratic quagmire that stretches for months. The seemingly interminable wait is exacerbated by relentless requests for additional information, pushing companies to revise their applications numerous times.

A high-ranking official within the CAC confessed, “Not a single company can complete the data security review within the officially suggested timeframe. The whole process becomes very time-consuming as the CAC consistently demands corrections and additional materials.”

The unpredictable nature of China’s policymaking has turned the approval process into a nightmarish rollercoaster ride for businesses. The CAC’s struggle to implement the export rules has underscored the challenges faced by Beijing as it attempts to balance economic growth and national security.

Analysts suggest that the CAC’s predicament reflects a paradigm shift where national security now takes precedence over economic growth. Karman Lucero, a researcher at Yale Law School, observes, “Now the dynamics shifted, where folks recognise more explicitly that there is this contradiction between those two goals, and increasingly the government is choosing security regardless of what they say.”

Since the introduction of the law, Beijing has mandated a security assessment for companies dealing with critical information infrastructure, crucial data for national security, and large volumes of user information before allowing data to be sent abroad.

The situation is dire, with only two companies in Shanghai receiving regulatory approval to transfer data abroad by early May. In the same period, over 400 companies had applied for permission, leaving the vast majority in a state of bureaucratic limbo.

While Beijing attempted to ease the regulations in September 2023, allowing some data to be sent abroad without review, the permissions granted since then have done little to expedite the process. Multiple data security lawyers confirm that companies still spend a minimum of six months undergoing a CAC review.

The lack of clarity in defining “important data” for exports adds to the confusion. A CAC official remarked, “Some seemingly trivial data may one day become significant along with the development [of] AI technology. All we can do is make decisions on a case-by-case basis.”

The plight of businesses caught in this regulatory crossfire has led to a phenomenon colloquially referred to as “lying flat,” with many companies abandoning hopes of passing data security reviews. Some have dropped export plans altogether, while others risked selling overseas without obtaining a data security clearance.

China’s shifting regulatory landscape and the whims of policymaking have created an uncertain future for businesses awaiting approval. The same official within the CAC admits, “We have indeed relaxed a bit, but I can’t guarantee we’ll tighten again [in 2024] in the event of an escalation of US-China tensions.”

Businesses are now left to grapple with the repercussions of a bureaucratic nightmare that shows no signs of abating. Will China’s data security regulations strangle economic growth in the pursuit of national security, or will the pendulum swing back towards a more growth-oriented approach? Only time will reveal the fate of businesses caught in the crossfire of conflicting goals.