This regulatory challenge extends well beyond China’s borders, raising fundamental questions about how to comply with divergent local regulations in the context of centralised global information systems.

In this article, we explore technological measures to address the concerns of many CIOs about the PIPL law.

1/ PIPL raises broader risks than just compliance risks, highlighting a trend towards decoupling operations

The PIPL is part of China’s digital sovereignty strategy and raises cross-functional issues that go far beyond IT and cyber security. We note that “80% of French companies operating in China have had to adapt their global operations by decoupling certain processes in China[1]“. At the root of this trend are risks such as espionage, compromise of intellectual property or regulatory non-compliance.

A decoupled business process must be accompanied by IT decoupling. IT decoupling is the act of separating a part of an IS to make it more flexible and modular. This allows the decoupled components to operate independently of the central system.

Before starting work to comply with the PIPL law, companies need to ask themselves 3 essential questions:

• Should we maintain a presence in China? A decision at Executive Committee level needs to be made in the light of a strategic analysis assessing the cost/benefit ratio in relation to the current risks. For example, some suppliers refuse to expand their activities in China to avoid losing control of their source code.
• If so, should I decouple my IT architecture to mitigate the risks? It is essential to highlight this study in relation to potential changes in the regulatory landscape to ensure long-term compliance.
• How do I operate and secure a decentralised system? IT and cyber restructuring should be planned according to the different architectural choices made: how should IAM be managed? How can SOC supervision be set up on a decentralised system?

2/ Putting in place a “privacy-by-design” IS architecture

The varied nature of the rules governing the storage and processing of personal data raises a question: is it possible to adapt an IS to facilitate compliance work? Is a “privacy-by-design” architecture realistic?

There are 3 possible scenarios, depending on the company’s risk appetite and strategic positioning:

• First, we have our centralised IS (the one we all know). By pooling resources, we can deliver the same service on the same scale and achieve economies of scale. However, Chinese data must be subject to a specific transfer, approved by the CAC (Cyberspace Administration of China). To control and monitor this transfer, all data flows in and out of China could pass through a single gateway (also facilitating emergency isolation, such as Red Buttons). The risk of regulatory non-compliance is controlled at the time of implementation, but can easily drift over time (operational change, application change, new Chinese amendment, etc.).
• Then we have a partially decentralised IS (where the Chinese application instance is decoupled). Data is stored and processed in China using a specific Cloud tenant or an on-premise infrastructure. Application links persist between China and the rest of the world, and data may be transferred from time to time (depending on the regulatory constraints in force). Chinese data is kept separate from the rest, making it easier to ensure the security and confidentiality of personal data.
• Finally, we have a decoupled IS, with an independent local authority. This option is certainly the most advanced, ensuring the highest level of compliance. However, it drastically increases operating costs (local teams, local infrastructure, etc.): this position is difficult to maintain if the company is committed to reducing IT and/or cyber costs. This architecture also provides significant resilience in the event of geopolitical crises, making it easier to execute an exit plan. Recent examples of geopolitical tensions include the Russian[2] [3] subsidiaries Carlsberg and Danone, which were nationalised by Russia, and the war in Ukraine, which led to numerous carve-outs, such as that of Heineken[4].

Should I choose a Cloud Service Provider (CSP) in China?

Alibaba Cloud has long been the preferred Cloud Provider because of the variety of services it offers compared with non-Chinese CSPs. Although this difference between Chinese and non-Chinese CSPs is tending to disappear, Alibaba Cloud could remain the preferred choice: as a Chinese provider, this CSP would be well advised to adapt quickly to any new Chinese regulatory requirements.

How should data transfer be managed?

In a centralised and partially decentralised architecture, data continues to be transferred. Depending on the sensitivity of the data transferred, we can implement data anonymisation or use confidential computing, an increasingly mature technology that guarantees data confidentiality during processing.

However, some cases do not necessarily require data to be transferred. This is the case with certain decentralised learning methods for AI that are “privacy-by-design” (e.g. bagging, federated learning, etc.): the systems are trained locally, and only the learning is transferred.

3/ What can we do in this climate of uncertainty, both in the short and long term?

Short term: a pragmatic risk-based approach  

The compliance strategy must be the result of a pragmatic, risk-based approach, in order to minimise the impact on operations. The main steps are as follows:

1. Make an inventory of all the data affected: what data and how is it used? How is the data stored, transferred, and processed? How are data access rights managed? Are there any external dependencies with suppliers?
2. Assess the risks associated with the data and its use. The format and content of the study must comply with CAC standards.
3. Arbitrate a compliance strategy: draw up a compliance strategy based on the 3 scenarios detailed in the previous sections, depending on the sensitivity and criticality of the application data in question.
4. Implement technical measures: implement security and confidentiality measures (decoupling, encryption, pseudonymisation, anonymisation, access controls, etc.).
5. Monitor and maintain compliance: establish a regular monitoring process to maintain compliance with the PIPL.

Long term: should I be preparing to decouple my IS in China?

PIPL compliance strategy should consider long-term trends, current geopolitical tensions and China’s increasing emphasis on data protection and sovereignty (and uncertainty of current laws).

The cybersecurity regulatory landscape has become denser and more complex in recent years, recalling one of the futures envisaged by the Cyber Campus[5]. Ultra-regulation, linked to the tightening of regulations with the aim of restoring digital confidence, could lead to regulatory incompatibilities and numerous non-compliances or fines.

Fortunately, we are not yet at this stage. However, we must anticipate this trend: PIPL compliance must be a case study forming part of an in-depth reflection on decoupling (with varying levels of separation depending on the situation). This trend towards decoupling could become essential on a wider scale in the next ten years.

[1] CCI France CHINE : Enquête sur les entreprises en Chine, Printemps 2022 https://www.ccifrance-international.org/le-kiosque/n/enquete-sur-les-entreprises-francaises-en-chine-printemps-2022.html#:~:text=Enqu%C3%AAte%20sur%20les%20entreprises%20fran%C3%A7aises%20en%20Chine%20%2D%20Printemps%202022,-25%20mai%202022&text=Avec%20p.

[2] Le Monde, 26/07/2023, « Danone : comment le piège russe s’est refermé sur le géant français des produits laitiers » https://www.lemonde.fr/economie/article/2023/07/26/danone-comment-le-piege-russe-s-est-referme-sur-le-geant-francais-des-produits-laitiers_6183438_3234.html

[3] Le Temps, 19 juillet 2023, « Après Danone et Carlsberg, la Russie se dirige vers la nationalisation d’autres filiales de groupes étrangers » https://www.letemps.ch/economie/apres-danone-et-carlsberg-la-russie-se-dirige-vers-la-nationalisation-d-autres-filiales-de-groupes-etrangers

[4] Les Echos, 25 août 2023, « Heineken se retire définitivement de Russie » https://www.lesechos.fr/industrie-services/conso-distribution/heineken-se-retire-definitivement-de-russie-1972549

[5] Horizon Cyber 2030 : perspectives et défis, Campus Cyber https://campuscyber.fr/resources/anticipation-des-evolutions-de-la-menace-a-venir/

Cet article PIPL: is information system decoupling necessary to comply with protectionist local laws? est apparu en premier sur RiskInsight.

Your company operates in China. You compile personal data relating to your Chinese employees and transfer them to your headquarters for HR purposes. You also collect personal information on Chinese customers buying products on your website and make it accessible to global departments outside of China. Since the coming into effect of China’s Personal Information Protection Law (PIPL) in November 2021, you may constantly have been wondering if your cross-border data transfers comply to China’s data privacy regulations.

A complex and uncertain system of laws governing data transfers outside of China

In fact, PIPL is only one of many Chinese data protection laws.  It builds on top of both China’s Cybersecurity Law (CSL, 2017) and China’s Data Security Law (DSL, 2021). It applies to any organization processing personally identifiable information from China in China and abroad. Under PIPL, international data transfers are possible following an approval from the Cyberspace Administration of China (CAC). The article 38 of PIPL offers four ways of getting this approval, some of them subsequently completed by five additional measures and guidelines (2022-2023)[1] detailing how to comply and who is concerned.

In a nutshell, if you engage in the cross-border data transfer of a relatively small volume of personal information, you have two options: get certified by a designated institution in accordance with the regulations of the CAC, or sign a contract with the overseas recipient of the data in line with the standard contract formulated by the CAC.

In other cases, you need to pass a security assessment organized by the CAC. This is the highest bar of compliance and applies to companies who are critical information infrastructure operators (CIIO), handle personal information of more than one million people, export personal information of 100,000 people or “sensitive” personal information of 10,000 people, or export “important” data. This gives the CAC room for interpretation, possibly qualifying any data as “important”. Furthermore, in all the above-mentioned cases, the CAC reserves the right to overview all cross-border data transfers and stop them based on a large spectrum of justifications.

Besides a complex and constantly evolving regulatory landscape leaving China’s authorities with many options to oppose a data transfer, you are burdened with two additional facts on your way to compliance. First, the procedures for getting approval from the CAC may be time-consuming, in particular the rigorous security assessment by the CAC. Second, even if you manage to get the CAC’s approval for a data transfer, you still need to obtain consent from the people whose data are being transferred as well (article 39 of PIPL).

With all this information, you may have been confused when drafting your PIPL compliance strategy. To this day, you may not be sure if your data transfers comply, and even if compliance is possible at all.

An upcoming easing of cross-border data transfer requirements

Interestingly, Chinese authorities have recently recognized the challenges faced when exporting data from China. China’s State Council has officially identified cross-border data transfers as one of 24 areas to improve in order to attract foreign investment to China[2]. Therefore, in September 2023, the CAC issued a draft proposition of exemptions from the cross-border data transfer mechanism[3].

You could be freed from the above-mentioned article 38 procedures (security assessment, certification, or specific contract) in the following cases, which were under public discussion until mid-October:

• You could transfer employee data from China if this was necessary for human resources management in accordance with law and lawfully formulated collective contracts
• You could transfer customer data from China for the purpose of entering into and performing a contract to which the customer is a party, such as cross-border e-commerce, cross-border remittance, air ticket booking and visa processing
• You could transfer personal information from China in order to protect the life, health and property safety of people in emergencies
• You would only need to do a CAC security assessment for
  • transfers of data for more than one million people, likely beyond the cases mentioned above
  • “important” data transfers, where data are not considered “important” unless you have officially been notified of the contrary

This is great news. It means that in many cases, you could continue transferring personal information from China without administrative burden and without risking non-compliance and associated fines.

However, it is currently unclear when these exceptions would be enacted, if at all, and what the final list could look like. Besides, the CAC highlighted two issues that you would still be confronted to. First, specific consent from people whose data are being transferred internationally would still be required under PIPL if consent is the legal basis for the data processing – which may be the case for most processing cases outside of the execution of a contract. Second, and more importantly, the CAC would keep the right to overview all cross-border data transfers, investigate high-risk transfers and even stop them altogether.

So if you think that you may soon once again be able to transfer a good part of your China-generated personal information abroad without constraints, you may not be right.  

Keeping data in China, the safest long-term compliance strategy

Working with all this information, how to prepare a good compliance strategy related to China’s personal information protection laws?

On the legal side, you face laws that are complex to understand, constantly evolving, and subject to interpretation by the authorities. Unlike with the GDPR, you can’t tell if you are compliant as of now, and even less in the coming months and years.

Add to this the technical side: in global companies, information circulates. Data reside in both universal platforms for global operations, including HR and customer management, and interconnected local systems. It will be a challenge just to identify all personal information and figure out associated data flows before any specific protection measures can be discussed.

Besides, let’s not forget that the stakes are high: in case of non-compliance, the CAC can restrict your data transfers, fine your company and executives, and even force your business to close in China.

You should take advantage of the fact that the CAC currently focuses on adapting rather than enforcing its personal information protection laws and consider a more long-term compliance strategy. This strategy may consist in ensuring that data actually stay in China instead of being systematically transferred to your headquarters.

In the long term, China undeniably aims for digital sovereignty. Among the many laws published by countries to regulate cyber space and protect personal data, PIPL is unique in that it significantly challenges the information system model of global companies, which consists in a centralized IT concentrating information from all locations. But in a world where geopolitical tensions intensify, we can expect even more calls for IT protectionism.

Therefore, you should see your PIPL compliance strategy reflections as a case study for decoupling of your information system, which you may soon be confronted to at a bigger scale.

[1] 2022: Measures of Security Assessment for Data Export

2022: Practice Guide for Cybersecurity Standards – Outbound Transfer Certification Specification V2.0 for Cross-border Processing of Personal Information (Exposure Draft)

2023: Information Security Technology – Certification Requirements for Cross-border Transmission of Personal Information (Exposure Draft) 

2023: Measures on the Standard Contract for Outbound Transfer of Personal Information

2023: Guidelines for Filing of Standard Contract for Outbound Transfer of Personal Information (First Edition)

2023: Regulations on Standardizing and Promoting Cross-Border Data Flows

[2]  国务院关于进一步优化外商投资环境加大吸引外商投资力度的意见

[3] Provisions on Standardizing and Promoting Cross-Border Data Flows (Draft for Comment) 

Cet article Impact of PIPL evolution on your privacy compliance strategy est apparu en premier sur RiskInsight.