China to make holders of more than 1 million users’ data get annual audits

BEIJING (Reuters) – China’s cyberspace regulator issued on Thursday draft rules requiring service providers that hold data on more than 1 million people to undergo at least one compliance audit a year, another step in efforts to control data and information.

Infrastructure information providers or services that process data of more than one million users must undergo a security review conducted by an agency appointed by the regulator if they are supplying data overseas, the Cyberspace Administration of China (CAC) said in its draft.

The appointed compliance agency must also evaluate services that own the data of more than 100,000 users, or those with sensitive data of more than 10,000 users, the CAC said.

Services that hold data of fewer than 1 million users must undergo a personal information compliance check at least once every two years, the CAC said.

China has in recent years tightened controls on data and information, especially data and information that flows abroad.

Legislators in April passed a wide-ranging update to anti-espionage legislation, banning the transfer of information related to national security and broadening the definition of spying.

The CAC last year required platform companies with data on more than 1 million users to undergo a security review before listing their shares overseas.

(Reporting by Albee Zhang, Brenda Goh and Beijing newsroom; Editing by Robert Birsel)

tagreuters.com2023binary_LYNXMPEJ7203O-VIEWIMAGE