European businesses may have been pre-warned about China’s new Personal Information Protection Law (PIPL), but levels of preparedness – and perhaps even willingness – remain far less clear as we enter 2022.
PIPL in its most recent guise was released in August 2021, coming into effect on 1 November. At that point, China’s Standing Committee of the National People’s Congress said this cyber security measure was being enacted to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information”.
In theory, this is a rational and logical request in the same vein as Europe’s (the EU’s and European Economic Area’s) now-entrenched General Data Protection Regulation (GDPR). However, such are the demands relating to cross-border data transfer, and the penalties in place should compliance not be adhered to, that companies outside China are reassessing either their dealings within the country, their internal processes to facilitate digitised operations with Chinese partners – or whether it is really still worth taking the risk to “enter” China at all.
“We are seeing various levels of preparedness,” says Guanfu Haffke, director of innovation and strategy at Odaseva, a 10-year-old data management and protection specialist that enables the movement of Salesforce data for a host of Fortune 500 heavyweights. “Some large companies had already made their strategy for China prior to the law coming into effect. But more companies are still in the observation phase and are talking with local legal councils and vendors to tackle the compliance requirements.”
No short-cuts
Keeping on top of national, regional and legislative changes is one of Odaseva’s key strengths, with its residency-as-a-service proposition naturally suited to the challenges that a regulation shift such as PIPL presents. As part of the company’s data privacy-based conversations with clients, a prime concern in these first few months has been based around data architecture impacts, says Haffke.
“The biggest source of tension or nervousness would come from any change in data architecture or processes management that will affect an organisation’s current business operations,” she says. “This means automatic processes that are already relying on a SaaS [software-as-a-service] solution hosted outside of China, as they will no longer be possible.
“Simply, reporting tools that aggregate data from different regions for comparison and analysis will not be allowed to work as before, and that is the biggest concern of all companies previously relying on that cross-border uniformity.”
Taking short-cuts certainly isn’t an option, either. The Cyberspace Administration of China, the country’s cyber and data protection regulator, has already affirmed that violations of the new PIPL regulations could lead to penalties akin to either $7.7m, or equivalent to 5% of a company’s business revenue from the previous year.
“Understandably, as a result, we have already seen a tremendous increase in interest around solutions such as our residency-as-a-service proposition, as organisations simultaneously try to tackle the compliancy issue, all while keeping their existing business operations running smoothly during the transition phase,” says Haffke.
Treading on eggshells
So, what exactly are the key considerations that fall under this banner of cross-border transfer, on which businesses are seeking guidance?
Before August 2021, despite knowing the regulation was on its way, there were still hazy interpretations of what was to come. At first glance, the final “draft” brought to the fore in August did succeed in elaborating on more detailed requirements pertaining to data transfer. But the haziness hasn’t completely subsided, it would seem.
Haffke says: “Things that have been clarified largely relate to the different thresholds in personal information, and indeed what steps need to be taken in order to ultimately be compliant with cross-border data transfers.”
But what isn’t so clear is what companies will then be assessed on to confirm compliance.
Haffke continues: “There is still so much room for interpretation. We see the key pressure points being around the uncertainties in the required security assessment process. This is especially because of how new PIPL is and there subsequently being no precedent cases. Simply, enterprises do not know for sure if they will get a pass on that security assessment.”
European businesses are therefore taking a leap into the unknown. Since November, the initial – careful, eggshell-treading – steps have been taken hand-in-hand with IT, with all relevant business units, and especially with legal departments, to try to minimise the chances of tripping at the first hurdle.
Haffke notes that one more drastic, but potentially necessary, option involves introducing a completely localised solution for China itself. Plotting a Chinese local customer relationship management (CRM) solution instead of trying to marry China to its global CRM platform would help to avoid compliance risks, of course. On the flipside, however, the level of investment needed to upset organisations’ own status quos presents a significant downside, too.
GDPR vs PIPL: the same, but different
“Ultimately, for businesses in Europe especially, the key pressure point and deciding vote will be based around profit margins,” says Jeff Carr, a cyber security adviser, author, researcher and founder of Safe House Global. “Companies will have to weigh up whether the cost of complying with PIPL – in whatever way they choose to do so – is actually worth it for their bottom line.”
Carr’s company’s events serve to shine a spotlight on some of the pressing security questions of the digital era, and he has taken particular interest in the comparisons between PIPL and GDPR in recent months.
“Of course, there are certain similarities between PIPL and the European Union’s GDPR,” he says. “However, there are two fundamental differences. Firstly, there is a commonly used loophole within GDPR that says companies can collect and retain user data for unspecified ‘business purposes’. This loophole is often exploited by businesses – but it is not available when it comes to PIPL.
“Secondly, the requirements for moving non-Chinese customer data out of China are far more complex and, most likely, more expensive to comply with. This will be a significant barrier to European companies looking to do business in the country.”
Haffke agrees with these assertions, with a key addition that relates to time. Significantly, the GDPR compliance roadmap, which is still being pre-emptively laid out in front of businesses to this day, seems, when it comes to PIPL, to be more of an immediate booby-trapped assault course.
She says: “There is no timeline specified by the Chinese legislators, unlike when GDPR was first introduced in Europe. Even recently, it is worth noting that the final version of the new standard contractual clauses [SCCs], which was published by the European Commission on 4 June 2021, stated that organisations that transfer or receive personal data originating in the European Economic Area [EEA], outside the EEA, would be required to implement these SCCs with their customers, suppliers and affiliates by December 2022.
“This is perhaps the most significant GDPR development since the passage of the GDPR and is still giving companies a timeframe to work towards.”
Of course, there are elements that companies can leverage from their GDPR shifts for PIPL purposes. Both laws focus on the protection of personal information, first and foremost. This pertains to aspects of attaining consent, classification parameters under that “personal information” banner, consumer rights in the form of being able to have information deleted, for example, and data security measurements.
“However, it is the differences relating to absolutely critical data residency rules that means companies have to really understand their data and how PIPL applies to their operations,” says Haffke.
Time to leave, or a chance to prove data agility?
For most organisations, it is difficult to imagine navigating this PIPL journey without making drastic decisions – but how many are likely to take the most drastic decision of all?
“There are already some famous examples of companies that have left China, such as LinkedIn and the video game Fortnite,” says Haffke. “These are indeed very drastic choices, though.”
But Safe House Global’s Carr is not so sure that such a choice is just a last resort.
“I suspect there will be a thinning-out of foreign firms in China, year on year,” he says. “This will be partly because of the cost of compliance with PIPL, but also partly because China really doesn’t want foreign-owned firms in the country over the long term.
“China only wants foreign businesses operating within sectors where the country hasn’t yet caught up technologically, and PIPL is a way to naturally lean towards that dynamic. Ultimately, China is doing the right thing for its citizens. The companies that are unhappy with PIPL have, until now, been spoilt by decades of free rein to collect, analyse and monetise data that never belonged to them in the first place.”
For those wanting to stand firm and keep their global operations active in such a vast, significant market, there are alternative routes likely to be taken. As already explored, the possibility of a localised presence in China could be tweaked by isolating a company’s IT infrastructure in the country, away from its global IT systems.
But while this will achieve compliance from a data residency perspective, it means giving up on internal cross-border collaboration as China becomes a “black box for other entities within the same company”.
From Odaseva’s perspective, the most logical way forward is to instead try to achieve data compliance despite the potholes and ambiguities laid out in front, says Haffke.
“With residency-as-a-service, businesses have the ability to combine global collaboration with strict compliance in terms of data residency,” she says. “We are getting a lot of traction with this model, especially while the regulations are so new and while we await further clarifications on assessment protocols.
“Our advice would be to use PIPL as a useful digital exercise. It can be seen as a test of organisations’ agility when it comes to data privacy, and in exercising the right choice at the right time, and for the right scope, along your general data privacy journeys.”
