The measure is needed to protect the Chinese public and “safeguard national security,” the Cyberspace Administration of China said.
President Xi Jinping’s government sees information about China’s 1.4 billion people as a potential security risk in private hands. It has issued a flurry of rules tightening control over how companies gather and handle information.
A crackdown on data security launched in late 2020 fueled anxiety among investors, who have knocked more than $1.3 trillion off the total market value of e-commerce platform Alibaba, games and social media operator Tencent and other tech giants.
Companies that want to transfer important data abroad would have to report on how much and what type of information is involved and security measures, according to the CAC. Regulators would decide within a week whether to accept that or conduct their own review, which could last up to 60 days.
The rules would apply to transfers that involve “sensitive personal information” of at least 10,000 people or any company that handles information on more than 1 million people. They give no details of what is important or sensitive.
Rules imposed earlier prohibit companies from storing information about Chinese citizens abroad.
That prompted complaints that global companies are put at a disadvantage because they can't combine information from China with other countries, while Chinese competitors can collect all their data at their headquarters.
A separate law that takes effect Monday establishes security standards, prohibits companies from disclosing information without customer permission and tells them to limit how much they collect. Unlike data protection laws in Western countries, the Chinese rules say nothing about limiting government or ruling Communist Party access to personal information.