PIPL's data localization mandate places unique requirements on businesses operating in China, and regulators have great leeway to assess fines. Credit: Guirong Hao / Getty Images The manner in which companies do business in China saw a monumental change take effect on November 1 when China’s new Personal Information Protection Law (PIPL) took effect. First announced in August 2021, it was clear entities with a China footprint were faced with the dilemma: Comply or face the consequences.The four stated objectives of the PIPL are:Protect the rights and interests of individualsRegulate personal information processing activitiesSafeguard the lawful and “orderly flow” of dataFacilitate reasonable use of personal informationHow has the industry reacted to PIPL?LinkedIn recently announced it is closing its flagship social network in China citing a “challenging operating environment and greater compliance requirements.” Instead, LinkedIn has opted to create a China-light version without the social networking aspect—a straight-up jobs board called “InJobs”. LinkedIn said in a recent blog post that it anticipates shuttering LinkedIn in China by year’s end.Similarly, Yahoo announced its departure from China as the PIPL took hold. Yahoo said, “In recognition of the increasingly challenging business and legal environment in China, Yahoo’s suite of services will no longer be accessible from mainland China as of November 1.” The irony of China pushing forward the PIPL in the face of global allegations of China’s hacking is not lost on Lynn Raynault, co-founder of Hush, a provider of consumer privacy services. The U.S.-China Economic and Security Review Commission has been sounding the klaxon for years on how China stands accused of stealing, scraping, cataloging individuals’ PII, PHI and PCI data from the United States and other countries.PIPL presents compliance challengesWhile the PIPL is similar in makeup to the GDPR, notes Armaan Mahbod, director of security and business intelligence at DTEX Systems, compliance isn’t any easier and substantive differences exist. He wryly notes, “The PIPL may in fact spur business in China, as companies create their own versions of their offering in a ‘China-light’ format. The companies will have to hire a development and support team for their offering. There might be a bit of vulnerability for each company as complying may in fact reveal a bit of their infrastructure which had previously been protected information to the Chinese government.” “PIPL does raise the Great Firewall of China a few more feet, but it also creates soft, perceptual challenges elsewhere in the world,” observes Quimby Melton, co-founder and CEO of privacy-focused data management solution vendor Confection. “PIPL’s data localization mandate is unique among global data privacy laws. In essence, data controllers and infrastructure operators (CIIOs) must store data within China’s borders. If you’re operating in China, you’re probably going to be storing your data on a mainland server anyway. From this perspective, it’s easy to accommodate PIPL’s localization mandate.”What of the multinational with the “mixed bag of international PII?” says Melton. “How will your customers feel about the fact that (a) their data must live in mainland China and (b) it’s subject to an on-demand ‘security assessment’ by the Cyberspace Administration of China (CAC)? If you want to segment out Chinese and non-Chinese data, what OPEX challenges will this create? How will you thread data back together? What’s lost when you can’t cross-reference data from around the world in real time?”PIPL requires entities that process Chinese PII offshore to establish a “dedicated office” or appoint a “dedicated representative” in China, similar to the GDPR.Wide discretion for PIPL violation penaltiesInterestingly, the International Association of Privacy Professionals in its primer on China’s PIPL noted how regulators have wide discretion on penalties to impose on violations of PIPL. Given the opaqueness of the Chinese justice system, the PIPL is not a law to be ignored. CISOs should be prepared to present options for their C-Suites: Change to be compliant, exit like Yahoo, or implement a hybrid approach like LinkedIn. Related content news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Regulation Government news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe