China's Personal Information Protection Law (PIPL) presents challenges for CISOs

PIPL's data localization mandate places unique requirements on businesses operating in China, and regulators have great leeway to assess fines.

A binary map of china.
Guirong Hao / Getty Images

The manner in which companies do business in China saw a monumental change take effect on November 1 when China’s new Personal Information Protection Law (PIPL) took effect. First announced in August 2021, it was clear entities with a China footprint were faced with the dilemma: Comply or face the consequences.

The four stated objectives of the PIPL are:

  • Protect the rights and interests of individuals
  • Regulate personal information processing activities
  • Safeguard the lawful and "orderly flow" of data
  • Facilitate reasonable use of personal information

How has the industry reacted to PIPL?

LinkedIn recently announced it is closing its flagship social network in China citing a “challenging operating environment and greater compliance requirements.” Instead, LinkedIn has opted to create a China-light version without the social networking aspect—a straight-up jobs board called “InJobs”. LinkedIn said in a recent blog post that it anticipates shuttering LinkedIn in China by year’s end.

Similarly, Yahoo announced its departure from China as the PIPL took hold. Yahoo said, “In recognition of the increasingly challenging business and legal environment in China, Yahoo’s suite of services will no longer be accessible from mainland China as of November 1.”

The irony of China pushing forward the PIPL in the face of global allegations of China’s hacking is not lost on Lynn Raynault, co-founder of Hush, a provider of consumer privacy services. The U.S.-China Economic and Security Review Commission has been sounding the klaxon for years on how China stands accused of stealing, scraping, cataloging individuals’ PII, PHI and PCI data from the United States and other countries.

PIPL presents compliance challenges

While the PIPL is similar in makeup to the GDPR, notes Armaan Mahbod, director of security and business intelligence at DTEX Systems, compliance isn’t any easier and substantive differences exist. He wryly notes, “The PIPL may in fact spur business in China, as companies create their own versions of their offering in a ‘China-light’ format. The companies will have to hire a development and support team for their offering. There might be a bit of vulnerability for each company as complying may in fact reveal a bit of their infrastructure which had previously been protected information to the Chinese government.”  

“PIPL does raise the Great Firewall of China a few more feet, but it also creates soft, perceptual challenges elsewhere in the world,” observes Quimby Melton, co-founder and CEO of privacy-focused data management solution vendor Confection. “PIPL’s data localization mandate is unique among global data privacy laws. In essence, data controllers and infrastructure operators (CIIOs) must store data within China’s borders. If you’re operating in China, you’re probably going to be storing your data on a mainland server anyway. From this perspective, it’s easy to accommodate PIPL’s localization mandate.”

What of the multinational with the “mixed bag of international PII?” says Melton. “How will your customers feel about the fact that (a) their data must live in mainland China and (b) it’s subject to an on-demand ‘security assessment’ by the Cyberspace Administration of China (CAC)? If you want to segment out Chinese and non-Chinese data, what OPEX challenges will this create? How will you thread data back together? What’s lost when you can’t cross-reference data from around the world in real time?”

PIPL requires entities that process Chinese PII offshore to establish a “dedicated office” or appoint a “dedicated representative” in China, similar to the GDPR.

Wide discretion for PIPL violation penalties

Interestingly, the International Association of Privacy Professionals in its primer on China’s PIPL noted how regulators have wide discretion on penalties to impose on violations of PIPL. Given the opaqueness of the Chinese justice system, the PIPL is not a law to be ignored. CISOs should be prepared to present options for their C-Suites: Change to be compliant, exit like Yahoo, or implement a hybrid approach like LinkedIn.

Copyright © 2021 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.