China regulator to make holders of more than 1 mln users’ data get annual audits

China’s cyberspace regulator issued on Thursday draft rules requiring service providers that hold data on more than 1 million people to undergo at least one compliance audit a year, another step in efforts to control data and information.

Infrastructure information providers or services that process data of more than one million users must undergo a security review conducted by an agency appointed by the regulator if they are supplying data overseas, the Cyberspace Administration of China (CAC) said in its draft.

For the latest headlines, follow our Google News channel online or via the app.

The appointed compliance agency must also evaluate services that own the data of more than 100,000 users, or those with sensitive data of more than 10,000 users, the CAC said.

Services that hold data of fewer than 1 million users must undergo a personal information compliance check at least once every two years, the CAC said.

China has in recent years tightened controls on data and infor-mation, especially data and information that flows abroad.

Legislators in April passed a wide-ranging update to anti-espionage legislation, banning the transfer of information
related to national security and broadening the definition of spying.

The CAC last year required platform companies with data on more than 1 million users to undergo a security review before listing their shares overseas.

Read more: China plans three-tier data strategy for companies to avoid US delistings: FT