Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

China Stresses for Data Exit Security Evaluation of Firms Seeking to Trade User Data

Published November 2, 2021
Author

Muhammad Faisal Sattar

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/Asia

Listen to the content

This post is also available in: Brazilian Portuguese

On Friday, October 29th, 2021, the Cyberspace Administration of China (CAC) requested public comments on Data Exit Security Evaluation (Draft Measures).

The Draft Measures stress that data transfer firms must comply with China's Personal Information Protection Law, commonly referred to as PIPL, before sending user-related data outside China. The Draft Measures aim to expedite efforts on thwarting data security risks.

The Draft Measures concern companies with more than 1 million users in China to do an extensive security review before exporting Chinese individuals' user data to foreign entities. The aim is to regulate data exit activities and have standard operating procedures for companies seeking data exit under the PIPL, Data Security Law (DSL), and Cybersecurity Law (CSL).

Major Requirements Under the Draft Measures:

The Draft Measures require companies transferring data outside of China that meet one of the following circumstances must declare the Data Exit Security Assessment of the data to the National Network Information Department through the provincial CAC:

  • Personal information and important data collected and generated by operators of critical information infrastructure;
  • Providing the personal information of more than 100,000 people or sensitive personal information of more than 10,000 people outside of China;
  • Outbound data contains essential data;
  • Personal Information Processors who have processed the personal information of one million people provide personal data outside of China; or
  • Other situations required by the CAC require Data Exit Security Assessment.

Organizations subject to a Data Exit Security Assessment would first need to conduct a Data Exit Risk Self Assessment. The details of this assessment are mentioned under Article 4 of the Draft Measures.

Organizations would also be required to submit the following materials for the Data Exit Security Assessment:

  1. Declaration;
  2. Data Exit Risk Self-Assessment report;
  3. Contracts or other legally binding documents drawn up by the data processor and the overseas recipient;
  4. Other materials required for security assessment.

These Draft Measures also require that companies that have already sent abroad, or intend to send overseas, the personal information of more than 100,000 users or "sensitive" personal information belonging to 10,000 users would also be bound by the requirement.

Please note that a successful security review would have a two-year validity period under these Draft Measures, but factors such as "changes in the country's legal environment or region where the overseas receiver is located" could prompt a new review.

According to Zuo Xiaodong, vice president of the China Information Security Research Institute, "the Draft Measures are a concrete implementation of data going abroad among three pillar-like acts in China. These Draft Measures are not only for data security or cybersecurity but also an indispensable step to ensure the safe development of cross-border business."

As Beijing reinforces its control on Chinese companies and the vast troves of data they control, it's imperative for companies operating in China to comply with China's Data Protection Laws and Cross-Border Data Transfers.

Failure to comply with China's broad laws regarding privacy, companies can and have faced grave consequences. China has recently passed PIPL (effective from November 1st, 2021). The law aims to protect the rights, interests and personal information processing activities of users. With PIPL enforced, companies should immediately strategise efforts and construct ways to comply with these Draft Measures requirements. Failure to comply could lead to hefty fines from the Chinese authorities.

You can read the Draft Measures available in Chinese and convert them to English for additional information and a detailed understanding of the cross border data transfers under PIPL, DSL and CSL. The Chinese regulator welcomes public comments to the proposed proceedings until November 28th, 2021.

With global data privacy laws such as the GDPR and CCPA already proving to be an increasing challenge for businesses, companies must stay ahead and refer to relevant resources for helpful information regarding security assessments, privacy laws etc.

Resources

Here's What 'China's GDPR' Means For International Businesses

10 major changes in China's finalized PIPL

What is China's Data Security Law?

Overview of Personal Information Protection Law

Compliance Checklist for China's CSL

The Ultimate Guide to China's Data Protection Laws

Employee Personal Data Protection in China

Compliance Checklist for China's PIPL

Compliance Checklist for China's Data Security Law (DSL)

How China’s PIPL Compares to EU GDPR

China’s Personal Information Protection Law (PIPL)

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
DSPM vs. CSPM – What’s the Difference?
While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is SSPM? (SaaS Security Posture Management) View More
What is SSPM? (SaaS Security Posture Management)
This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...
View More
“Scraping Almost Always Illegal”, Netherlands DPA Declares
Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New