Securiti announces a $75M Series C Funding RoundView
Published on October 18, 2022 AUTHOR - Privacy Research Team
Data continues to be one of the most vital assets for organizations globally. Through various insights gained from data, organizations can innovate, keeping in mind their users' behaviors, perceptions, and aspirations. A key element behind that is data gained from across the world, allowing for a deeper understanding of how customers across the world may differ in what they want.
However, as lucrative as that prospect may be, there are significant privacy and security concerns related to data transfers from one country or region to another. Most data regulations contain cross-border data transfer guidelines and regimes to alleviate these concerns and provide secure mechanisms for data transfers across countries.
The People’s Republic of China (China), being the most populous country in the world, represents a highly attractive data source. However, restrictions and requirements surrounding data transfers in and outside China are stricter because three different privacy and cybersecurity laws deal with data.
Hence, overseas businesses processing data within China must understand China’s cross-border data transfer regime and how they can ensure compliance with the requirements set to ensure a seamless flow of data to and from the country.
For the uninitiated, it is crucial to understand that under the Chinese Personal Information Protection Law (PIPL), Data Security Law (DSL), and Cybersecurity Law (CSL), cross-border data transfer requirements and obligations vary depending on two primary factors:
CSL categorizes organizations into two main groups:
Article 2 of Regulations on the Security and Protection of Critical Information Infrastructure (“CII Regulations”) further elaborates on the industries and organizations that qualify as CIIOs. These include important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science, and technology industry, etc., which can gravely jeopardize the national security, economy, fundamental rights, and interests of people. As per Article 8 of CII Regulations, it is the responsibility of government regulatory departments to determine whether a company would fall within the purview of CIIO.
Here’s how a non-CIIO would have to proceed when it comes to transferring “important data” or personal data:
For non-CIIO, transferring personal data outside China is an incredibly laborious process. Several layers of requirements need to be met, in addition to several assessments that need to be carried out concurrently.
However, if followed diligently, there’s no reason why each of these requirements cannot be honored, allowing for seamlessly transferring personal data outside China. Here’s how the process works.
The PIPL is reasonably transparent about setting certain pre-transfer requirements that must be met if a business operator wants to comply with China’s strict cross-border data transfer regime. These pre-transfer requirements include the following:
Once the aforementioned pre-transfer requirements are fulfilled, personal data transfer can occur. However, there are some strict protection standards set by the PIPL that the overseas recipient of data must fulfill. Typically there are three data transfer mechanisms such as security assessment, security certification, and Standard Contractual Clauses (SCCs). These are discussed in detail below:
As per PIPL, there are already strict data localization requirements placed on organizations. In July 2022, the Cyberspace Administration of China (CAC) passed “Measures for Security Assessment of Data Exports (“Assessment Measures”) (Effective from 1st September 2022) that discussed the need for organizations to do thorough security assessments before transferring sensitive data and individual personal information outside China.
One of the export criteria set out in these Assessment Measures was that an organization that processes the personal data of more than 1 million individuals needs to conduct a security assessment and must locally store personal information collected and generated within China. A security assessment for the cross-border transfer of personal information will also be required if:
To understand the criteria and procedure for submitting a data export security assessment, please see our detailed blog on Assessment Measures.
Organizations that do not qualify for security assessments can apply to a competent government agency for third-party certification. Companies that receive the accreditation are permitted to transfer data outside of China. Certification Guidelines establish standardized cross-border processing mechanisms and also provide a certification system for personal information protection.
The Certification Guidelines have a broad scope as they are applicable on:
In the case of cross-border transfers within a multinational company, the domestic party may apply for certification and assume legal responsibility for such transfers. However, in the case of extraterritorial applicability of PIPL, foreign organizations can apply for the certifications through their locally established entity or designated representative. As for unrelated entities, they’ll need to rely on the standard contract mechanism.
Organizations that carry these certifications can proceed seamlessly with their data transfer activities.
Organizations can also seamlessly transfer data out of China by adopting any of the SCCs stipulated by the CAC. To give guidance on the implementation of Article 38(1)(3) of PIPL, Draft Provisions on Standard Contracts for the Export of Personal Information (Draft Provisions) were issued. The Draft Provisions provide the following instances where organizations may rely on SCCs for cross-border data transfers:
If the organization exceeds the above-mentioned threshold, it must use the security assessment mechanism for any cross-border data transfer.
In addition, Article 6 of the Draft Provisions lays down the main contents that should be included in the standard contract for data transfers. The requirements for this are the same as DPIAs with the addition of quantity, method, storage period, storage location, etc., of where personal information goes abroad.
Where an organization satisfies other conditions prescribed by other Chinese laws, administrative regulations, or the CAC, it may transfer personal information. Furthermore, organizations that do not need to undergo a security assessment may also rely on an international treaty or agreement that China has signed as the basis for the data transfer.
Both the CSL and DSL require organizations to carry out a mandatory security assessment regarding cross-border transfers of important data.
Organizations must have mechanisms and checks in place to promptly identify important data. The Security Assessment Measures have an unambiguous definition for important data as being “data that, once tampered with, destroyed, leaked, illegally obtained or illegally used, may endanger national security, economic operation, social stability, public health and safety, and so forth.”
The Draft Guidelines for the Identification of Important Data state that any data that contains the following can be deemed important data:
An increasing number of countries have begun to, have drafted, or have already enforced data privacy laws. The primary purpose behind most of these is to ensure the safety and privacy of users’ data by placing certain obligations and responsibilities upon organizations that collect and process the users’ data.
In most cases, these obligations extend to cross-border data transfers to guarantee the same level of security is extended to users’ data if it is transferred outside the country or region where it was collected.
Securiti is a market leader in providing enterprise solutions in data governance and compliance. Its state-of-the-art artificial intelligence and machine learning algorithms enable automated compliance with all major data regulations based on its plethora of privacy products such as DSR automation, data classification, cookie consent management, and breach management, among others.
Request a DEMO today and learn more about how Securiti can help your organization comply with the PIPL, DSL, CSL, and all other global data regulations.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,