China’s data privacy law poses a challenge for international companies


Companies that have spent more than three years adjusting to European Union data privacy law must now decide how they will respond to a similar law in China that has been criticized for being vaguer in wording and more severe in its penalties.

China’s Personal Information and Privacy Law (PIPL), enacted early last month, is designed to give more than 1.4 billion people greater control over what data private companies collect and what they do. these companies can do with the data while preserving the Chinese government’s broad access to their citizens’ personal information.

The settlement will have a wide ripple effect in the international IT and business world, given that it covers the world’s second-largest economy and a country that has asserted greater influence over local tech giants like Alibaba and Tencent. and made it more difficult for outside tech companies to do business within its borders.

Dissemination of Data Privacy Laws

Despite this concern, the new law is a significant step forward in the international drive to protect citizens’ data privacy rights at a time when companies are able to collect large amounts of personal information and use it for multiple ways.

The new law is “not all good or all bad,” said Jake Williams, co-founder and CTO of cybersecurity firm BreachQuest. Planet eSecurityadding that it’s “probably somewhere in between”.

“Chinese citizens need privacy like anyone else,” Williams said. “That said, the law gives the CCP additional control and access to private sector data under the guise of protecting privacy. Given the long history of state-sanctioned intellectual property theft and abuse, organizations have reason to be concerned.

PIPL is designed to enable individuals to obtain the personal data that has been collected by companies and to correct or delete it and to control its use. Furthermore, they must give their consent before their data is collected and this consent can be withdrawn. Companies that collect and process data must take the necessary measures to guarantee the protection of the data collected and to create compliance systems and internal audits.

Also Read: Best GRC Tools and Software for 2021

Responsibilities and Sanctions

Companies that send data outside China’s borders are also required to set up a dedicated data processing site in China or appoint a data protection officer. Companies that break the law face penalties that include the possibility of being banned from doing business in China. In addition, companies that break the law could be subject to fines of up to 5% of their annual turnover and personal sanctions against the directors of these companies.

“For organizations that process personal information collected in China, this law will require an additional layer of data governance,” Nader Henein, vice president of privacy research at Gartner, wrote in Fortune. “From an operational perspective, this new layer is intended to ensure consumers’ right to privacy and crucially realign business strategies around where to store, where to process and with whom they can share consumer data. clients.”


Since 2018, multinational companies have faced a wide range of data privacy challenges as a result of the EU’s General Data Protection Regulation (GDPR) in areas such as where data is stored, how it is transferred and how it is used.

“The good news is that PIPL is similar to GDPR in many ways,” Henein wrote. “It is not as comprehensive and will likely be strongly supported by continued advice from regulators. But for organizations that have taken the past few years to implement a modern privacy program, satisfying these new consumer privacy rights shouldn’t be a challenge.

However, there are differences between the two that organizations will need to adapt to, he wrote, noting that “data processing under a contractual or legal obligation is covered, but importantly, the concept of “Legitimate interest” continues to be absent, which means that many use cases involving the processing of personal information will need to rely on informed consent.

Managers can be penalized

Organizations are going to have to consider the new law, given the number of companies in the United States and other countries doing business in China, said Hank Schless, senior director of security solutions at the company. Lookout security. Planet eSecurity.

“There was a similar concern about vague language when the GDPR first came out, but the penalties weren’t as severe,” Schless said. “While the financial penalties are similar between Chinese laws and the GDPR, China has added significant additional penalties, including revocation of the ability to do business in China and personal penalties for executives of an unregistered company. compliant. If business in China accounts for more than 5% of a non-compliant company’s revenue, then revoking the ability to do business in China could be the biggest blow to an organization.

Williams from BreachQuest agreed that the wording of the PIPL is vague and noted that the time from publication to application was also short. The PIPL was announced in September and enacted two months later. With the GDPR, regulators have used the longer time between publication and application to answer key implementation questions.

“The accelerated timescale took away that opportunity here,” Willias said. “Given the potential for extremely steep fines, I believe some organizations will choose to go out of business in China for a while. Data locality will likely have the biggest impact on most businesses. Organizations cannot transfer Chinese people’s data out of China without prior permission Many organizations were not ready to build a dedicated processing infrastructure in China, so this will be a challenge.

Will companies leave China?

John Bambenek, principal threat hunter for security firm Netenrich, doubted that many companies would leave China.

“Doing business in China has always come with strings attached.” Bambanek said Planet eSecurity. “I’m much more concerned that companies need to be complicit or at least turn a blind eye to gross human rights abuses than I am about additional compliance charges.” Businesses will complain, but they want Chinese money, so they will line up like they always do and China knows it. Ask anyone still doing business in Hong Kong.

Will the United States follow?

China’s institution of PIPL coupled with GDPR also shines a spotlight on the United States, which has yet to institute similar data protection regulations nationwide. However, California enacted the California Consumer Privacy Act (CCPA) in 2018, which is similar to GDPR and allows California consumers to demand to see the personal data a company has collected about them as well as third-party organizations with whom the data has been shared. California consumers can also sue companies if privacy law is violated, whether or not there was a violation.

Earlier this year, Colorado and Virginia enacted their own consumer data privacy laws.

Both Bambenek and Williams said the United States will eventually have federal law, but the country is taking a different path from Europe and China.

“The legal and political culture in the United States is different from that of Europe and particularly China,” Bambenek said. “The United States has data privacy laws, but the trend is to limit the collection and use of promiscuous data. We have restrictions on biometric data and California has a privacy law. Eventually , we will adopt something more complete.

Williams said that “while the United States would benefit from federal privacy laws, it doesn’t impact businesses. Remember that privacy laws complicate doing business. They don’t attract him. I think we will see federal privacy laws when complying with individual state laws will be too onerous for businesses. In other words, the United States is not behind, we are just approaching the problem differently.

Further Reading: Best Risk Management Software for 2021


Comments are closed.