Businesses that have spent the past three-plus years adapting to the European Union’s far-reaching data privacy law now have to decide how they will respond to a similar law in China that has been criticized as being more vague in its wording and harsher in its penalties.
China’s Personal Information and Privacy Law (PIPL), enacted early last month, is designed to give more than 1.4 billion people greater control over the data collected by private companies and what those companies can do with the data while preserving the Chinese government’s broad access to their citizens’ personal information.
The regulation will have a broad ripple effect in the international IT and business world, given that it covers the world’s second-largest economy and a country that has been asserting greater influence on such home-grown tech giants as Alibaba and Tencent and has made it more challenging for outside tech companies to do business within its borders.
Spread of Data Privacy Laws
Despite the concern, the new law is a significant step forward in the international push to protect citizens’ data privacy rights at a time when companies are able to collect vast amounts of personal information and use it in myriad ways.
The new law is “not all good or all bad,” Jake Williams, co-founder and CTO at cybersecurity firm BreachQuest, told eSecurity Planet, adding that it’s “probably somewhere in between.”
“Chinese citizens need privacy protection just like anyone else,” Williams said. “That said, the law gives the CCP additional control over and access to private sector data under the guise of protecting privacy. Given the long history of state-sanctioned IP theft and abuses, organizations are right to be concerned.”
PIPL is designed to enable people to get the personal data that has been collected by companies and correct or delete it and control how it’s used. In addition, they have to consent before their data is collected and that consent can be withdrawn. Companies that collect and process data need to take measures necessary to ensure the data collected is protected and to create compliance systems and internal audits.
Also read: Top GRC Tools & Software
Responsibilities and Penalties
Companies that send data outside of China’s borders also are required to create a specialized data processing site in China or name a person who is responsible for data protection. Companies that violate the law face penalties that include the possibility of being banned from doing business in China. In addition, companies that violate the law could face fines of up to 5 percent of their annual revenue and personal penalties against executives of those companies.
“For organizations handling personal information collected in China, this law will require an additional layer of data governance,” Nader Henein, privacy research vice president at Gartner, wrote in Fortune. “Operationally, this new layer is intended to deliver consumer privacy rights and crucially realign corporate strategies regarding where to store, where to process, and with whom they can share customer data.”
PIPL vs. GDPR
Multinational companies since 2018 have had to wrestle with a broad array of data privacy challenges in the wake of the EU’s General Data Protection Regulation (GDPR) in such areas as where the data is stored, how it’s transferred and how it’s used.
“The good news is that the PIPL is similar to the GDPR in many ways,” Henein wrote. “It’s not as comprehensive, and it will likely be heavily supported with ongoing guidance from the regulatory bodies. But for organizations that have taken the last few years to put in place a modern privacy program, satisfying these new consumer privacy rights should not represent a challenge.”
However, there are differences between the two that organizations will have to adapt to, he wrote, noting that “processing data as part of a contractual or legal obligation is covered, but critically, the concept of ‘legitimate interest’ continues to be absent, which means that many use cases that involve the processing of personal information will have to rely on informed consent.”
Executives Can Be Penalized
Organizations are going to have to take the new law into account, given how many companies in the United States and other countries do business in China, Hank Schless, senior manager of security solutions at security firm Lookout, told eSecurity Planet.
“There was a similar concern around vague language when GDPR first came out, but the penalties weren’t quite as harsh,” Schless said. “While the financial penalties are similar between China’s laws and GDPR, China tacked on significant additional penalties, including revoking the ability to do business in China and personal penalties on a non-compliant firm’s executives. If business in China accounts for more than 5 percent of a non-compliant firm’s revenue, then the revocation of being able to do business in China could be the most significant blow to an organization.”
BreachQuest’s Williams agreed that the language in the PIPL is vague and noted that the timeframe between publication and enforcement also was short. PIPL was announced in September and enacted two months later. With the GDPR, regulators used the longer time between publication and enforcement to answer key implementation questions.
“The accelerated time scale has removed that opportunity here,” Willias said. “Given the potential for extremely harsh fines, I think some organizations will choose to opt out of business in China for some time. Data locality will likely have the largest impact to most businesses. Organizations can’t transfer the data of Chinese people outside of China without prior approval. Many organizations weren’t ready to build dedicated infrastructure for processing in China, so this will be a challenge.”
Will Businesses Leave China?
John Bambenek, principal threat hunter for security company Netenrich, doubted that many companies will leave China.
“Doing business in China has always come with strings attached.” Bambenek told eSecurity Planet. “I’m much more concerned with businesses having to be complicit or at least turning a blind eye to flagrant human rights violations than I am with some additional overhead of compliance. Companies will whine, but they want the Chinese money, so they’ll fall in line like they always do and China knows it. Ask anyone still doing business in Hong Kong.”
Will the U.S. Follow?
The institution by China of PIPL coupled with GDPR also puts a spotlight on the United States, which has not yet instituted a similar country-wide data protection regulation. However, California in 2018 enacted the California Consumer Privacy Act (CCPA), which is similar to GDPR and allows California consumers to demand to see personal data that a company has collected on them as well as third-party organizations with whom the data has been shared. California consumers also can sue companies if the privacy law is violated, regardless if there has been a breach.
Earlier this year, both Colorado and Virginia enacted their own consumer data privacy laws.
Bambenek and Williams both said the United States eventually will have a federal law, but that the country is taking a different route from Europe and China.
“The legal and political culture in the United States is different than Europe and especially China,” Bambenek said. “The U.S. does have some data privacy laws, but the trend is towards limiting promiscuous data collection and usage. We do have restrictions on biometric data and California has a privacy law. Eventually we’ll adopt something more comprehensive.”
Williams said that “while the U.S. would benefit from federal privacy laws, this isn’t something impacting businesses. Remember that privacy laws make it more difficult to do business. They don’t attract it. I think we’ll see federal privacy laws when complying with individual state laws is too onerous for businesses. In other words, the U.S isn’t behind, we’re just approaching the problem differently.”
Further reading: Best Risk Management Software