IDC Names Securiti a Worldwide Leader in Data PrivacyView
On Friday, October 29th, 2021, the Cyberspace Administration of China (CAC) requested public comments on Data Exit Security Evaluation (Draft Measures).
The Draft Measures stress that data transfer firms must comply with China's Personal Information Protection Law, commonly referred to as PIPL, before sending user-related data outside China. The Draft Measures aim to expedite efforts on thwarting data security risks.
The Draft Measures concern companies with more than 1 million users in China to do an extensive security review before exporting Chinese individuals' user data to foreign entities. The aim is to regulate data exit activities and have standard operating procedures for companies seeking data exit under the PIPL, Data Security Law (DSL), and Cybersecurity Law (CSL).
The Draft Measures require companies transferring data outside of China that meet one of the following circumstances must declare the Data Exit Security Assessment of the data to the National Network Information Department through the provincial CAC:
Organizations subject to a Data Exit Security Assessment would first need to conduct a Data Exit Risk Self Assessment. The details of this assessment are mentioned under Article 4 of the Draft Measures.
Organizations would also be required to submit the following materials for the Data Exit Security Assessment:
These Draft Measures also require that companies that have already sent abroad, or intend to send overseas, the personal information of more than 100,000 users or "sensitive" personal information belonging to 10,000 users would also be bound by the requirement.
Please note that a successful security review would have a two-year validity period under these Draft Measures, but factors such as "changes in the country's legal environment or region where the overseas receiver is located" could prompt a new review.
According to Zuo Xiaodong, vice president of the China Information Security Research Institute, "the Draft Measures are a concrete implementation of data going abroad among three pillar-like acts in China. These Draft Measures are not only for data security or cybersecurity but also an indispensable step to ensure the safe development of cross-border business."
As Beijing reinforces its control on Chinese companies and the vast troves of data they control, it's imperative for companies operating in China to comply with China's Data Protection Laws and Cross-Border Data Transfers.
Failure to comply with China's broad laws regarding privacy, companies can and have faced grave consequences. China has recently passed PIPL (effective from November 1st, 2021). The law aims to protect the rights, interests and personal information processing activities of users. With PIPL enforced, companies should immediately strategise efforts and construct ways to comply with these Draft Measures requirements. Failure to comply could lead to hefty fines from the Chinese authorities.
You can read the Draft Measures available in Chinese and convert them to English for additional information and a detailed understanding of the cross border data transfers under PIPL, DSL and CSL. The Chinese regulator welcomes public comments to the proposed proceedings until November 28th, 2021.
With global data privacy laws such as the GDPR and CCPA already proving to be an increasing challenge for businesses, companies must stay ahead and refer to relevant resources for helpful information regarding security assessments, privacy laws etc.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.