PIPL's data localization mandate places unique requirements on businesses operating in China, and regulators have great leeway to assess fines. Credit: Guirong Hao / Getty Images The manner in which companies do business in China saw a monumental change take effect on November 1 when China’s new Personal Information Protection Law (PIPL) took effect. First announced in August 2021, it was clear entities with a China footprint were faced with the dilemma: Comply or face the consequences.The four stated objectives of the PIPL are:Protect the rights and interests of individualsRegulate personal information processing activitiesSafeguard the lawful and “orderly flow” of dataFacilitate reasonable use of personal informationHow has the industry reacted to PIPL?LinkedIn recently announced it is closing its flagship social network in China citing a “challenging operating environment and greater compliance requirements.” Instead, LinkedIn has opted to create a China-light version without the social networking aspect—a straight-up jobs board called “InJobs”. LinkedIn said in a recent blog post that it anticipates shuttering LinkedIn in China by year’s end. Similarly, Yahoo announced its departure from China as the PIPL took hold. Yahoo said, “In recognition of the increasingly challenging business and legal environment in China, Yahoo’s suite of services will no longer be accessible from mainland China as of November 1.” The irony of China pushing forward the PIPL in the face of global allegations of China’s hacking is not lost on Lynn Raynault, co-founder of Hush, a provider of consumer privacy services. The U.S.-China Economic and Security Review Commission has been sounding the klaxon for years on how China stands accused of stealing, scraping, cataloging individuals’ PII, PHI and PCI data from the United States and other countries.PIPL presents compliance challengesWhile the PIPL is similar in makeup to the GDPR, notes Armaan Mahbod, director of security and business intelligence at DTEX Systems, compliance isn’t any easier and substantive differences exist. He wryly notes, “The PIPL may in fact spur business in China, as companies create their own versions of their offering in a ‘China-light’ format. The companies will have to hire a development and support team for their offering. There might be a bit of vulnerability for each company as complying may in fact reveal a bit of their infrastructure which had previously been protected information to the Chinese government.” “PIPL does raise the Great Firewall of China a few more feet, but it also creates soft, perceptual challenges elsewhere in the world,” observes Quimby Melton, co-founder and CEO of privacy-focused data management solution vendor Confection. “PIPL’s data localization mandate is unique among global data privacy laws. In essence, data controllers and infrastructure operators (CIIOs) must store data within China’s borders. If you’re operating in China, you’re probably going to be storing your data on a mainland server anyway. From this perspective, it’s easy to accommodate PIPL’s localization mandate.”What of the multinational with the “mixed bag of international PII?” says Melton. “How will your customers feel about the fact that (a) their data must live in mainland China and (b) it’s subject to an on-demand ‘security assessment’ by the Cyberspace Administration of China (CAC)? If you want to segment out Chinese and non-Chinese data, what OPEX challenges will this create? How will you thread data back together? What’s lost when you can’t cross-reference data from around the world in real time?”PIPL requires entities that process Chinese PII offshore to establish a “dedicated office” or appoint a “dedicated representative” in China, similar to the GDPR.Wide discretion for PIPL violation penaltiesInterestingly, the International Association of Privacy Professionals in its primer on China’s PIPL noted how regulators have wide discretion on penalties to impose on violations of PIPL. Given the opaqueness of the Chinese justice system, the PIPL is not a law to be ignored. CISOs should be prepared to present options for their C-Suites: Change to be compliant, exit like Yahoo, or implement a hybrid approach like LinkedIn. Related content news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups feature AI governance and cybersecurity certifications: Are they worth it? Organizations have started to launch AI certifications in governance and cybersecurity but given how immature the space is and how fast it's changing, are these certifications worth pursuing? By Maria Korolov May 06, 2024 12 mins Certifications IT Training Careers news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 06, 2024 10 mins RSA Conference Security news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe