PIPL's data localization mandate places unique requirements on businesses operating in China, and regulators have great leeway to assess fines. Credit: Guirong Hao / Getty Images The manner in which companies do business in China saw a monumental change take effect on November 1 when China’s new Personal Information Protection Law (PIPL) took effect. First announced in August 2021, it was clear entities with a China footprint were faced with the dilemma: Comply or face the consequences.The four stated objectives of the PIPL are:Protect the rights and interests of individualsRegulate personal information processing activitiesSafeguard the lawful and “orderly flow” of dataFacilitate reasonable use of personal informationHow has the industry reacted to PIPL?LinkedIn recently announced it is closing its flagship social network in China citing a “challenging operating environment and greater compliance requirements.” Instead, LinkedIn has opted to create a China-light version without the social networking aspect—a straight-up jobs board called “InJobs”. LinkedIn said in a recent blog post that it anticipates shuttering LinkedIn in China by year’s end.Similarly, Yahoo announced its departure from China as the PIPL took hold. Yahoo said, “In recognition of the increasingly challenging business and legal environment in China, Yahoo’s suite of services will no longer be accessible from mainland China as of November 1.” The irony of China pushing forward the PIPL in the face of global allegations of China’s hacking is not lost on Lynn Raynault, co-founder of Hush, a provider of consumer privacy services. The U.S.-China Economic and Security Review Commission has been sounding the klaxon for years on how China stands accused of stealing, scraping, cataloging individuals’ PII, PHI and PCI data from the United States and other countries.PIPL presents compliance challengesWhile the PIPL is similar in makeup to the GDPR, notes Armaan Mahbod, director of security and business intelligence at DTEX Systems, compliance isn’t any easier and substantive differences exist. He wryly notes, “The PIPL may in fact spur business in China, as companies create their own versions of their offering in a ‘China-light’ format. The companies will have to hire a development and support team for their offering. There might be a bit of vulnerability for each company as complying may in fact reveal a bit of their infrastructure which had previously been protected information to the Chinese government.” “PIPL does raise the Great Firewall of China a few more feet, but it also creates soft, perceptual challenges elsewhere in the world,” observes Quimby Melton, co-founder and CEO of privacy-focused data management solution vendor Confection. “PIPL’s data localization mandate is unique among global data privacy laws. In essence, data controllers and infrastructure operators (CIIOs) must store data within China’s borders. If you’re operating in China, you’re probably going to be storing your data on a mainland server anyway. From this perspective, it’s easy to accommodate PIPL’s localization mandate.”What of the multinational with the “mixed bag of international PII?” says Melton. “How will your customers feel about the fact that (a) their data must live in mainland China and (b) it’s subject to an on-demand ‘security assessment’ by the Cyberspace Administration of China (CAC)? If you want to segment out Chinese and non-Chinese data, what OPEX challenges will this create? How will you thread data back together? What’s lost when you can’t cross-reference data from around the world in real time?”PIPL requires entities that process Chinese PII offshore to establish a “dedicated office” or appoint a “dedicated representative” in China, similar to the GDPR.Wide discretion for PIPL violation penaltiesInterestingly, the International Association of Privacy Professionals in its primer on China’s PIPL noted how regulators have wide discretion on penalties to impose on violations of PIPL. Given the opaqueness of the Chinese justice system, the PIPL is not a law to be ignored. CISOs should be prepared to present options for their C-Suites: Change to be compliant, exit like Yahoo, or implement a hybrid approach like LinkedIn. Related content opinion Preparing for the post-quantum cryptography environment today It’s a mistake to put off the creation of precautions against quantum threats, no matter how far in the future you might think quantum computing will become a reality. By Christopher Burgess Sep 26, 2023 5 mins CSO and CISO CSO and CISO CSO and CISO feature What is WorldCoin's proof-of-personhood system? What does the blockchain, AI, and custom hardware system featuring a shiny, eye-scanning orb mean for the future of identity access management? By Matthew Tyson Sep 26, 2023 12 mins Cryptocurrency Cryptocurrency Cryptocurrency news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Government Incident Response news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe