PIPL's data localization mandate places unique requirements on businesses operating in China, and regulators have great leeway to assess fines. Credit: Guirong Hao / Getty Images The manner in which companies do business in China saw a monumental change take effect on November 1 when China’s new Personal Information Protection Law (PIPL) took effect. First announced in August 2021, it was clear entities with a China footprint were faced with the dilemma: Comply or face the consequences.The four stated objectives of the PIPL are:Protect the rights and interests of individualsRegulate personal information processing activitiesSafeguard the lawful and “orderly flow” of dataFacilitate reasonable use of personal informationHow has the industry reacted to PIPL?LinkedIn recently announced it is closing its flagship social network in China citing a “challenging operating environment and greater compliance requirements.” Instead, LinkedIn has opted to create a China-light version without the social networking aspect—a straight-up jobs board called “InJobs”. LinkedIn said in a recent blog post that it anticipates shuttering LinkedIn in China by year’s end. Similarly, Yahoo announced its departure from China as the PIPL took hold. Yahoo said, “In recognition of the increasingly challenging business and legal environment in China, Yahoo’s suite of services will no longer be accessible from mainland China as of November 1.” The irony of China pushing forward the PIPL in the face of global allegations of China’s hacking is not lost on Lynn Raynault, co-founder of Hush, a provider of consumer privacy services. The U.S.-China Economic and Security Review Commission has been sounding the klaxon for years on how China stands accused of stealing, scraping, cataloging individuals’ PII, PHI and PCI data from the United States and other countries.PIPL presents compliance challengesWhile the PIPL is similar in makeup to the GDPR, notes Armaan Mahbod, director of security and business intelligence at DTEX Systems, compliance isn’t any easier and substantive differences exist. He wryly notes, “The PIPL may in fact spur business in China, as companies create their own versions of their offering in a ‘China-light’ format. The companies will have to hire a development and support team for their offering. There might be a bit of vulnerability for each company as complying may in fact reveal a bit of their infrastructure which had previously been protected information to the Chinese government.” “PIPL does raise the Great Firewall of China a few more feet, but it also creates soft, perceptual challenges elsewhere in the world,” observes Quimby Melton, co-founder and CEO of privacy-focused data management solution vendor Confection. “PIPL’s data localization mandate is unique among global data privacy laws. In essence, data controllers and infrastructure operators (CIIOs) must store data within China’s borders. If you’re operating in China, you’re probably going to be storing your data on a mainland server anyway. From this perspective, it’s easy to accommodate PIPL’s localization mandate.”What of the multinational with the “mixed bag of international PII?” says Melton. “How will your customers feel about the fact that (a) their data must live in mainland China and (b) it’s subject to an on-demand ‘security assessment’ by the Cyberspace Administration of China (CAC)? If you want to segment out Chinese and non-Chinese data, what OPEX challenges will this create? How will you thread data back together? What’s lost when you can’t cross-reference data from around the world in real time?”PIPL requires entities that process Chinese PII offshore to establish a “dedicated office” or appoint a “dedicated representative” in China, similar to the GDPR.Wide discretion for PIPL violation penaltiesInterestingly, the International Association of Privacy Professionals in its primer on China’s PIPL noted how regulators have wide discretion on penalties to impose on violations of PIPL. Given the opaqueness of the Chinese justice system, the PIPL is not a law to be ignored. CISOs should be prepared to present options for their C-Suites: Change to be compliant, exit like Yahoo, or implement a hybrid approach like LinkedIn. Related content news US healthcare agency to invest $50M in threat detection tools that predict attackers’ next moves The Advanced Research Projects Agency for Health is seeking proposals that go beyond detecting and analyzing healthcare attacks to trying to determine what attackers will try next. By Evan Schuman May 28, 2024 5 mins Government IT Healthcare Industry Threat and Vulnerability Management news Data leak exposes personal data of Indian military and police Data included facial scans, fingerprints, identifying marks such as tattoos or scars, and documents such as birth certificates and employment records. By Prasanth Aby Thomas May 28, 2024 4 mins Data Breach feature Third-party software supply chain threats continue to plague CISOs Malware-laced libraries add a new dimension to defending the software supply chain. By David Strom May 28, 2024 8 mins Open Source Security Software Supply Chain feature CISSP certification: Requirements, training, exam, and cost The Certified Information Systems Security Professional ‘gold standard’ certification demonstrates your skills, testifies to your experience, and opens career advancement opportunities, including higher salary. By Josh Fruhlinger and CSO Staff May 28, 2024 10 mins Certifications Careers Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe