China’s data export guidelines symbolize a new era of hands-on governance of the digital economy in which Beijing will pressure local and foreign companies to align with its technological supremacy and economic self-reliance goals. The country’s top internet regulator, the Cyberspace Administration of China (CAC), released a draft document on Oct. 29 titled “Measures for Data Exit Security Evaluation,” which details a new mandatory security review process for companies with users in China seeking to send information on those users abroad. The guidelines enable Beijing to police data flows for various industries based on vague definitions of “national interest.” The security review will take 45-60 days and consider factors like damage potential in the event of a data leak, as well as the "cybersecurity environment" of destination countries, the data protection capabilities of companies, and the purpose of sending data abroad. The guidelines will be out for comment until Nov. 28, though few changes are expected. 

Businesses that will be subject to the new security review process include those that:

• Process the personal information of at least 1 million users in China.
• Handle “critical infrastructure” data that, if leaked, could threaten China's national security, economic interests, public interest or citizen’s rights. 
• Have exported or plan to export the personal information of at least 100,000 Chinese users. 
• Have exported or plan to export personal information deemed particularly “sensitive” (such as biometric, financial or geolocation data) on at least 10,000 Chinese users.

The proposed guidelines give greater detail on how authorities will handle data and cybersecurity practices defined in three major tech laws, which together impose Beijing’s views on data sovereignty. China’s 2017 Cybersecurity Law, along with the more recent Data Security Law and Personal Information Protection Law, will make companies increasingly subject to the whims of regulators and allow Beijing to treat private data as a national asset.

• The rules outlined in China’s 2017 Cybersecurity Law regarding “critical information infrastructure operators” (CIIOs) mandate corporate incident reporting and security assessment processes and empower the state to influence staffing decisions for corporate cybersecurity teams. CIIOs were only defined in August to include any organization for whom the disruption of operations could endanger China’s national security, national welfare, public interest, or people’s livelihoods.
• China’s new Digital Security Law, which took effect Sept. 1, tasks local officials with defining tiers of “important data” within various sectors. It also subjects companies handling “important data” to data export controls based on state-imposed security reviews, which are defined by the newly released export guidelines.
• The Personal Information Law, which just went into effect on Nov. 1, defines how companies should handle personal information that is now also subject to export controls. Authorities can also ban companies (including those overseas) from handling Chinese user information if they endanger national security or public interests.

These laws and the new data export rules reveal Beijing’s expansive views on national security and a growing propensity to regulate industry, as well as a decreased policy focus on economic growth. The broad categories of companies and data practices subject to these laws show Beijing’s new willingness to actively manage the complex digital economy, instead of leaving these affairs to tech companies and only regulating when systemic risks (e.g. peer-to-peer lending platforms) arise. Amid its strategic competition with the United States and Europe, Beijing is also expanding its definitions of national security to encompass economic prosperity and the public interest, which gives authorities the ability to leverage industry for achieving long-term policy goals like China’s technology supremacy, greater economic self-reliance, and tighter control over digital information. The increasingly numerous definitions of data practices and categories of companies — as seen in recent tech laws, including the newly proposed data export rules — will allow Beijing to gradually regulate the digital sphere and triage the greatest digital threats to its state policy, economic and security interests. Lastly, these laws signal a new era of Chinese governance focused on quality over quantity in economic growth, which includes tightly managed data flows. This focus will likely be codified into Communist Party doctrine by Chinese President Xi Jinping during the party’s ongoing sixth plenum, which began Nov. 8 and ends Nov. 11. Going forward, foreign companies can expect that access to China will come with more regulatory and political stipulations, marking a stark contrast to Beijing’s traditional laissez-faire attitude toward foreign firms since 1982.