• In a proposed draft, the Cyberspace Administration of China has said no government oversight is needed for data exports if regulators haven't stipulated that it qualifies as "important."
• New "draft regulation relieves companies of some of the difficulties with cross-border data transfer and personal information protection," the European Union Chamber of Commerce in China said in a statement to CNBC.
• The U.S.-China Business Council's latest annual survey found the second-biggest challenge for members this year was around data, personal information and cybersecurity rules.

BEIJING — Chinese authorities are signaling a softer stance on once-stringent data rules, among recent moves to ease regulation for business, especially foreign ones.

Over the last few years, China has tightened control of data collection and export with new laws. But foreign businesses have found it difficult to comply — if not operate — due to vague wording on terms such as "important data."

Now, in a proposed update, the Cyberspace Administration of China (CAC) has said no government oversight is needed for data exports if regulators haven't stipulated that it qualifies as "important."

That's according to draft rules released late Sept. 28, a day before the country went on an eight-day holiday. The public comment period closes Oct. 15.

"The release of the draft is seen as a signal from the Chinese Government that it is listening to businesses' concerns and is ready to take steps to address them, which is a positive," the European Union Chamber of Commerce in China said in a statement to CNBC.

"The draft regulation relieves companies of some of the difficulties with cross-border data transfer and personal information protection partly by specifying a list of exemptions to relevant obligations and partly by providing more clarity on how data handlers can verify what is qualified by authorities as 'important data,'" the EU Chamber said.

The EU Chamber and other business organizations have lobbied the Chinese government for better operating conditions.

The cybersecurity regulator's draft rules also said data generated during international trade, academic cooperation, manufacturing and marketing can be sent overseas without government oversight — as long as they don't include personal information or "important data."

"This is a small but important step for Beijing to show it's walking the walk when the State Council earlier pledged to facilitate cross-border data flows to improve the investment climate," Reva Goujon, director, China Corporate Advisory at Rhodium Group, said in an email Friday.

The proposed changes reflect how "Beijing is realizing that there are steep economic costs attached to its data sovereignty ideals," Goujon said.

"Multinational corporations, particularly in data-intensive sunrise industries which Beijing is counting on to fuel new growth, cannot operate in extreme ambiguity over what will be considered 'important data' today versus tomorrow and whether their operations will seize up over a political whim by CAC regulators." 

More regulatory clarity for business?

China's economic rebound from Covid-19 has slowed since April. News of a few raids on foreign consultancies earlier this year, ahead of the implementation of an updated anti-espionage law, added to uncertainties for multinationals.

"When economic times were good, Beijing felt confident in asserting a stringent data security regime in the footsteps of the EU and with the US lagging behind in this regulatory realm (for example, heavy state oversight of cross-border data flows and strict data localization requirements)," Rhodium Group's Goujon said.

The country's top executive body, the State Council, in August revealed a 24-point plan for supporting foreign business operations in the country.

The text included a call to reduce the frequency of random inspections for companies with low credit risk, and promoting data flows with "green channels" for certain foreign businesses.

During consultancy Teneo's recent trip to China, the firm found that "foreign business sources were largely unexcited about the plan, noting that it consists mostly of vague commitments or repackaging of existing policies, but some will be useful at the margin," managing director Gabriel Wildau said in a note.

He added that "the 24-point plan included a commitment to clarify the definition of 'produced in China' so that foreign companies' domestically made products can qualify."

When U.S. Commerce Secretary Gina Raimondo visited China in August, she called for more action to improve predictability for U.S. businesses in China. Referring to the State Council's 24 points, she said: "Any one of those could be addressed as a way to show action."

The U.S.-China Business Council's latest annual survey found the second-biggest challenge for members this year was around data, personal information and cybersecurity rules. The first challenge they cited was international and domestic politics.

The council was not available for comment due to the holiday in China.

While the proposed data rules lower regulatory risk, they don't eliminate it because "important data" remains undefined — and subject to Beijing's determination at any time, Martin Chorzempa, senior fellow at the Peterson Institute for International Economics, and Samm Sacks, senior fellow at Yale Law School Paul Tsai China Center and New America, said in a PIIE blog post Tuesday.

Still, "not only did the leadership commit to a more 'transparent and predictable' approach to technology regulation in the wake of the tech crackdown, the new regulations follow directly on the State Council's 24 measures unveiled in August, which explicitly call for free data flows. Other concrete actions to improve the business environment could flow from those measures as well," Chorzempa and Sacks said.

The proposed changes to data export controls follow an easing in recent months on other regulation.

In artificial intelligence, Baidu and other Chinese companies in late August were finally able to launch generative AI chatbots to the public, after Beijing's "interim regulation" for the management of such services took effect on Aug. 15.

The new version of the AI rules said they would not apply to companies developing the tech as long as the product was not available to the mass public. That's more relaxed than a draft released in April that said forthcoming rules would apply even at the research stage.

The latest version of the AI rules also did not include a blanket license requirement, only saying that one was needed if stipulated by law and regulations. It did not specify which ones.

Earlier in August, Baidu CEO Robin Li had called the new rules "more pro-innovation than regulation."