Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

China Stresses for Data Exit Security Evaluation of Firms Seeking to Trade User Data

By Securiti Research Team

Published November 2, 2021 / Updated May 29, 2023

On Friday, October 29th, 2021, the Cyberspace Administration of China (CAC) requested public comments on Data Exit Security Evaluation (Draft Measures).

The Draft Measures stress that data transfer firms must comply with China's Personal Information Protection Law, commonly referred to as PIPL, before sending user-related data outside China. The Draft Measures aim to expedite efforts on thwarting data security risks.

The Draft Measures concern companies with more than 1 million users in China to do an extensive security review before exporting Chinese individuals' user data to foreign entities. The aim is to regulate data exit activities and have standard operating procedures for companies seeking data exit under the PIPL, Data Security Law (DSL), and Cybersecurity Law (CSL).

Major Requirements Under the Draft Measures:

The Draft Measures require companies transferring data outside of China that meet one of the following circumstances must declare the Data Exit Security Assessment of the data to the National Network Information Department through the provincial CAC:

Personal information and important data collected and generated by operators of critical information infrastructure;
Providing the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people outside of China;
Outbound data contains essential data;
Personal Information Processors who have processed the personal information of one million people provide personal data outside of China; or
Other situations required by the CAC require Data Exit Security Assessment.

Organizations subject to a Data Exit Security Assessment would first need to conduct a Data Exit Risk Self Assessment. The details of this assessment are mentioned under Article 4 of the Draft Measures.

Organizations would also be required to submit the following materials for the Data Exit Security Assessment:

Declaration;
Data Exit Risk Self-Assessment report;
Contracts or other legally binding documents drawn up by the data processor and the overseas recipient;
Other materials required for security assessment.

These Draft Measures also require that companies that have already sent abroad, or intend to send overseas, the personal information of more than 100,000 users or "sensitive" personal information belonging to 10,000 users would also be bound by the requirement.

Please note that a successful security review would have a two-year validity period under these Draft Measures, but factors such as "changes in the country's legal environment or region where the overseas receiver is located" could prompt a new review.

According to Zuo Xiaodong, vice president of the China Information Security Research Institute, "the Draft Measures are a concrete implementation of data going abroad among three pillar-like acts in China. These Draft Measures are not only for data security or cybersecurity but also an indispensable step to ensure the safe development of cross-border business."

As Beijing reinforces its control on Chinese companies and the vast troves of data they control, it's imperative for companies operating in China to comply with China's Data Protection Laws and Cross-Border Data Transfers.

Failure to comply with China's broad laws regarding privacy, companies can and have faced grave consequences. China has recently passed PIPL (effective from November 1st, 2021). The law aims to protect the rights, interests and personal information processing activities of users. With PIPL enforced, companies should immediately strategise efforts and construct ways to comply with these Draft Measures requirements. Failure to comply could lead to hefty fines from the Chinese authorities.

You can read the Draft Measures available in Chinese and convert them to English for additional information and a detailed understanding of the cross border data transfers under PIPL, DSL and CSL. The Chinese regulator welcomes public comments to the proposed proceedings until November 28th, 2021.

With global data privacy laws such as the GDPR and CCPA already proving to be an increasing challenge for businesses, companies must stay ahead and refer to relevant resources for helpful information regarding security assessments, privacy laws etc.