What China’s new data privacy rules mean for foreign companies and the future of regulation

November 22, 2021, 4:30 PM UTC
In theory, the new rules give Chinese users a right to transparency and control over their data.
In theory, the new rules give Chinese users a right to transparency and control over their data.
Getty Images

China’s answer to the EU data privacy rules, the Personal Information Protection Law (PIPL), went into effect earlier this month after an expedited process. Proponents hailed it as a significant step towards global standardization in consumer privacy rights. Opponents viewed it as a state tool to curb data dissemination.

Both interpretations may be valid, but only time will tell, as any new set of laws needs sufficient time to “soak in.” In time, outside observers will be able to assess how these laws are enforced and discern between the letter of the law and the spirit in which it is applied.

Consumer privacy rights

The fact is that the PIPL will provide 1.4 billion individuals with transparency and control over their personal data. This almost doubles the global total of consumers that have access to these rights today, bringing it to over three billion. By 2023, this number is projected to jump to five billion people, representing 70% of global GDP.

For organizations handling personal information collected in China, this law will require an additional layer of data governance. Operationally, this new layer is intended to deliver consumer privacy rights and crucially realign corporate strategies regarding where to store, where to process, and with whom they can share customer data.

Very similar to the EU’s General Data Protection Regulation (GDPR), the PIPL outlines a set of consumer privacy rights that fall into three categories: informative, corrective, and restrictive. These rights allow individuals to get a copy of their data, correct it where there are errors, delete it where possible or control how their data is used. This includes objecting to data being used in AI-driven decision making. For example, a bank would have to demonstrate it can reach the same result through a manual process rather than just running the request through an AI decision engine.

Data residency and localization

The PIPL’s data residency rules govern if and when personal information collected in China can be transferred to other countries. The PIPL creates different levels of required diligence depending on the sensitivity and volume of data, but generally, the two principal conditions for cross-border transfers are maintaining a certain level of control over the data and securing the consent of the consumer.

Control of cross-border transfers is workable and should be familiar to many organizations doing business in China, as they likely already follow a similar certification process as required by the Multi-level Protection Scheme (MLPS) which China established in late 2019.

However, consent makes cross-border transfers impractical, because even if a minority of individuals object to the transfer of their data, it would require the establishment of local store-and-compute capabilities.

The PIPL does allow for some exceptions, but they are limited to specific use cases such as HR and where there is an unavoidable necessity.

The good news is that the PIPL is similar to the GDPR in many ways. It’s not as comprehensive, and it will likely be heavily supported with ongoing guidance from the regulatory bodies. But for organizations that have taken the last few years to put in place a modern privacy program, satisfying these new consumer privacy rights should not represent a challenge.

The not-so-good news is that the PIPL is not the GDPR. Processing data as part of a contractual or legal obligation is covered, but critically, the concept of “legitimate interest” continues to be absent, which means that many use cases that involve the processing of personal information will have to rely on informed consent.

Since cross-border transfers will also rely largely on individual consent, centralized storage and processing of personal data outside of China will remain challenging.

Where should organizations focus?

Two critical areas should be at the top of an organization’s priority list in China: Privacy user experience (UX) and data residency.

Crafting a well-developed privacy UX will be critical for organizations handling personal information in China, both to satisfy regulatory requirements and improve consumer sentiment, boosting consent rates. Critical aspects of privacy UX include providing transparency to individuals when collecting their data and providing individuals with a privacy portal where they can exercise their consumer rights and manage consent.

Data residency requirements are such that organizations should budget for localized governance and technology in China as part of market entry or market expansion. The transfer of identifiable data from China to other countries will be difficult, but anonymized or aggregate data will afford organizations much more flexibility for centralized processing.

China’s latest rules come amid a general crackdown on the tech sector. Unlike the EU, which has independent courts, their outcomes will largely depend on what the country’s leaders decide to do next. For now, foreign companies should tread carefully and onshore user data when possible.

Nader Henein is privacy research VP at Gartner.

More must-read commentary published by Fortune:

Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.

Read More

Great ResignationClimate ChangeLeadershipInflationUkraine Invasion