The chances are that you’ve heard the expression that no person is an island. One way of interpreting it is that, while we might each act independently, we nonetheless form part of a much larger body — whether that’s a village, a city, or a nation. What we do impacts others, even when we might not immediately realize it.
Data protection measures aren’t an island, either. In a modern world in which data flows freely around the globe on a continuous basis, data protection measures such as the European Union’s General Data Protection Regulation (GDPR) invariably affect large numbers of people.
The latest example of changes to this data landscape likely to be felt globally is China’s Personal Information Protection Law (PIPL). Passed in August 2021 and taking effect from the start of November, PIPL is a major piece of legislation from the world’s largest population of internet users — amounting to upward of 900 million users (out of a population of 1.4 billion). PIPL is an important piece of China’s government’s ongoing efforts to control data within China.
Like Europe’s GDPR, which has many commonalities with PIPL, the effects of China’s new data protection law aren’t just felt in its country of origin. In a globalized economy, the impact of PIPL will affect those far outside China’s physical borders.
What exactly does PIPL cover as far as rights are concerned? What kinds of effects are likely to result from it? And how can companies ensure compliance with this latest data privacy law? Read on to find out.
What rights does PIPL provide?
PIPL was greatly influenced by GDPR, which provided a groundbreaking set of unified laws around data privacy. As its name makes clear, PIPL deals with personal information (PI), referring to electronic information that relates explicitly to an identifiable natural person. This could be anything from biometric information to gender identity to financial data to medical records to location information. The rules impact any organization that “handles” PI — whether this is collecting data, storing data, using data, processing data, transmitting data, or generally dealing with it in any meaningful manner.
PIPL doesn’t put a stop to the handling of any PI for any reason. For example, PI can be handled so long as a user over the age of fourteen has given their consent. Similarly, HR departments may deal with this data when it involves employees. Similarly, public interest events such as the reporting of news or public health emergencies all count as legitimate uses of PI — to give just a few examples.
Nonetheless, what PIPL does — like GDPR — is to put control of data back in the hands of the users it comes from. It provides users with rights such as the ability to access their PI and request copies if need be, to delete this data if desired, to demand explanations regarding this data, and more.
Crucially (and this is the part that affects users outside of China), PIPL isn’t limited to applying only to China. It also applies to the information regarding Chinese citizens even by organizations from outside China — such as when providing services or products to people in China using PI. Like GDPR, it additionally covers the transfer of data outside of China. The impact of failing to comply with PIPL could be extremely steep, ranging from fines to possible bans.
Build the right frameworks
For global firms, PIPL is going to matter. Any company that does business globally, crossing over into China in some way, will need to ensure that they have a PIPL compliance strategy in place. They’ll have to familiarize themselves not just with the letter of the law when it comes to PIPL, but also — more broadly — Chinese attitudes to data privacy and data protection so that they can stay abreast of changing legislation.
For this reason (and because China isn’t the only country taking a deeper look at user privacy issues), organizations must ensure that they have an effective data privacy framework in place. This means knowing exactly which data is collected, where it’s stored, how it is moved around, and who has access to it. It also means employing measures like data loss prevention (DLP) tools that can help prevent damaging data theft. Other measures part of any robust framework should include secure audit trail monitoring, controls regarding the movement of data across borders, data masking, and more.
For years, companies have gathered user data — realizing the importance of it as a strategic resource. Now a growing number of countries are doing their utmost to make companies accountable. By taking the right steps to secure user data and comply with different data privacy rules, businesses can make sure they stay on the right side of governments around the world. That’s not only a smart move financially (the costs of failure to comply with guidelines can be steep) but, increasingly, it’s a smart move when it comes to staying on the right side of customers as well.
