February 1, 2024
China Data Residency: A Guide to Compliance with PIPL & CSL
Learn how Skyflow eases compliance with PIPL, CSL, and other data protection and data residency requirements in China so you can scale your business globally.
Sensitive customer data is essential to any global business, but it’s also subject to increasing levels of regulation in markets across the world. This is especially true in China, where laws that govern where and how sensitive data is stored and processed, and that restrict cross-border data transfers are very stringent. Beyond the Personal Information Protection Law (PIPL), a data residency law that governs any personal information (including PII) collected in China, China’s regulatory regime includes a Cyber Security Law (CSL) that regulates a wider range of ‘important data’. And, China has regulations in place around networking, encryption, domain names, and IP addresses that pose unique challenges.
But with over a billion Internet users located in China, it isn’t a market that your business can afford to overlook.
So, how can you protect all types of sensitive data that are subject to PIPL and CSL, and meet other requirements for your business to operate in China? And, how can you enable capabilities like global analytics while avoiding cross-border data transfers or wholesale replication of your infrastructure in China?
In this post, we’ll take a closer look at the data handling and infrastructure requirements for operating in China, how these requirements compare to those in other markets and the specific challenges of meeting these requirements and achieving compliance. We’ll also show how companies that operate in China can protect sensitive data and honor data residency and other requirements by isolating, protecting, and governing that data with a data privacy vault. Finally, we’ll show how using a data privacy vault lets your business avoid cross-border data transfers while preserving data utility for analytics.
Understanding the Regulatory Landscape in China
The data regulations in China are extensive, governing the collection and use of several types of sensitive data, how encryption is used to protect that data, and the operation of networks and websites within China.
The most significant regulations include:
- Sensitive Data Regulations: PIPL and CSL define which types of data are considered to be sensitive, and set requirements for the collection, storage, and use of that data.
- Encryption Regulations: China’s Commercial Encryption Regulations mandate the use of specific encryption algorithms.
- Network and Website Regulations: Multi-Level Protection Scheme (MLPS 2.0) cybersecurity standards govern the operation of networks in China, and Internet Content Provider (ICP) certification is required for China-based domain names and their associated IP addresses
Let’s take a closer look at each of these areas of regulation.
How Sensitive Data Is Regulated under PIPL and CSL
The Personal Information Protection Law (PIPL, pronounced “pih-pul”) and the CSL both regulate different types of sensitive data encompassing a wider range of information than is covered by data protection laws outside of China.
PIPL Regulates Personal Information
PIPL regulates personal information (PI) collected in China, defined as “information gathered by electronic or other methods about identified or identifiable natural persons, except anonymized data”. This is similar to the concept of “personal data” under the EU’s GDPR. PIPL also defines a subcategory of PI, called “sensitive personal information” (SPI), which includes information on an individual’s location, financial accounts, medical health, biometrics, religious beliefs, specific identity, etc. The PI of any minor under the age of 14 is also considered SPI.
Processing PI (including SPI) requires consent from individuals, and processing SPI faces additional requirements. Compliance requires stringent controls on data storage (within China), encryption, and processing. Companies who collect PI, known as “PI handlers” also must get individuals’ consent before transferring PI across borders. Failure to do so can cause a company to lose the right to collect additional PI within China.
Similar to the EU’s GDPR, violations of PIPL can result in massive fines and other sanctions. Fines range up to 5% of a company’s most recent annual revenue, plus other business penalties such as an impact on credit ratings. Individuals, such as company executives and data protection officers can also face individual fines and even prosecution. For example, when the Cyberspace Administration of China (CAC) took action against ride-hailing company Didi Global for violations of PIPL and other data protection laws, they fined the company 8b yuan ($1.9b), and also fined two executives 1m yuan ($140k). In addition to these fines, Didi was barred from adding new users while the CAC completed its investigation.
CSL Regulates a Broad Range of Important Data
CSL, on the other hand, regulates a much wider range of sensitive data, called “important data”. While CSL doesn’t define “important data”, the draft Network Data Security Regulation from the CAC defines it as “any data that, if tampered with, damaged, leaked, illegally obtained or used, may jeopardize national security or public interests”.
Important data is expansively defined with a lot of room for interpretation, so companies operating in China are well served by classifying data as “important data” when in doubt. Like PIPL, violations of CSL carry strict penalties including a variety of fines, suspension or revocation of business licenses, etc.
Both PI and SPI as regulated under PIPL and CSL are subject to encryption regulations, as described in the next section.
China’s Distinctive Commercial Encryption Regulations
China’s Commercial Encryption Regulations require a specific type of encryption for PI and "important data", if encryption is used, and forbid the use of industry-standard encryption libraries, including AES libraries. Some companies might be tempted to not encrypt sensitive data because of these regulations. While this is allowed, this would put your company at risk of stiff penalties for failing to protect that data under PIPL or CSL if that data is stolen or misused.
Effectively, the Commercial Encryption Regulations mean that any software or services you use that utilize encryption must be designed (or extensively redesigned) to meet legal requirements in China. This regulation also requires that you keep not only encrypted sensitive data, but also your encryption keys, in China.
Like PIPL and CSL, violations of these regulations can result in significant fines and other penalties.
Network and Website Regulations in China
Operating in China is not just about adapting to a different market; it's about aligning with a unique set of regulations, and this is especially true when it comes to the operation of networks and websites in China.
Network Regulations under MLPS 2.0
The MLPS 2.0 Cybersecurity Standards govern the requirements that all network operators must meet in China. A “network operator” – basically any business operating in China – must first examine their network’s compliance with MLPS security obligations. Then, they must assess the risks associated with their network being potentially damaged or compromised, either by themselves or with an outside expert. This assessment results in “grading” a network’s security level on a scale from one to five, with five representing the highest risk.
The last step for a business that operates networks in China is to get approval for its network’s stated Security Level grade, which involves giving regulators access to networks so they can confirm the assessment.
Maintaining MLPS certification requires ongoing effort, including self-inspections and risk assessments. Regulators can make the renewal of business licenses contingent on a company ensuring that all of their networks are MLPS 2.0 certified.
ICP Certification for Domain Names
Before operating a website in China, you’re required to obtain an Internet Content Provider (ICP) certification from the Ministry of Information. To complete this process, you need to identify specific IP addresses associated with your domain when seeking the certification, adding another layer of complexity for businesses operating in China.
But, as with the other regulations described in this blog post, you can’t afford to ignore the ICP certification process. Websites without an ICP certification are shut down and added to a “block list” by China’s Ministry of Industry and Information Technology (MIIT).
The potential consequences of noncompliance loom large. Legal penalties can be severe, ranging from fines to suspension of operations. The damage to reputation and loss of customer trust can be equally debilitating.
The Business Consequences of Noncompliance in China
Noncompliance with China’s personal data protection laws, including the data residency provisions of PIPL and CSL, is not just a legal matter. In an environment of increasing enforcement and strengthening regulation, failure to comply with any of these requirements poses a significant risk to your business.
The potential consequences are wide-ranging including financial penalties, reputational damage, and loss of customer trust. But beyond these penalties, any business that doesn’t comply with these regulations will find it difficult to renew their business license to operate in China and can expect to have difficulty in obtaining a new license.
These penalties are described above, but to recap, noncompliant businesses in China face:
- Legal Penalties: China’s regulations, especially under PIPL and CSL, come with teeth. Fines for non-compliance can be substantial, potentially reaching 5% of annual revenue.
- Reputational Damage: A breach of data residency and data protection laws can result in severe reputational damage. Customers value the security of their data, and any compromise can erode trust irreparably.
- Loss of Customer Trust: Trust is hard-earned but easily lost. A breach of data residency laws not only impacts current operations but can also affect future customer acquisition and retention.
Navigating the complex landscape of Chinese data regulations requires more than just compliance; it demands a proactive approach to data protection.
What’s the best way to comply with these laws? By using a data privacy vault.
Skyflow’s Solution: Keep Encrypted Data (and Keys) in China
Skyflow Data Privacy Vault lets companies isolate, protect, govern, and localize sensitive data, making it an ideal choice to manage data residency in China to ease compliance with PIPL, CSL, and the other requirements listed above.
How does Skyflow work? With Skyflow, sensitive data is:
- Isolated: When you isolate sensitive data in a data privacy vault, you make it easy to keep that data within national borders, while supporting global analytics through sophisticated tokenization techniques. You also avoid one of the major issues with data security: sensitive data sprawl. Data sprawl occurs when sensitive data like names or social security numbers are replicated from one system to another, increasing the amount of infrastructure that’s subject to compliance requirements.
- Protected: To secure sensitive data, you need a combination of encryption and tokenization. Encryption protects the sensitive data that are isolated in a data privacy vault, while tokenization allows you to provide stand-in “tokens” that correspond to this sensitive data and that can be used throughout your infrastructure because Skyflow tokens have no exploitable value. Skyflow also gives you control over encryption key management, so you can keep encryption keys in China.
- Governed: Access to sensitive data is controlled using a combination of zero trust architecture and role-based and account-based access controls (RBAC and ABAC). These access controls provide only the minimum amount of data that’s required for business-critical workflows. Skyflow’s data governance also includes extensive monitoring and audit logging capability.
China-ready Data Residency with Skyflow
So, how does protecting sensitive data in a data privacy vault simplify data residency compliance in China, or any other market? By separating your data infrastructure from the sensitive data that’s subject to data residency requirements, and keeping any sensitive data that originates in China in a regional data privacy vault located in China. This approach not only addresses the requirement that sensitive data is stored in China, it also addresses the requirement that data processing (including compute) occurs in China.
This approach not only lets you avoid cross-border data transfers, it also lets you lower operational costs while retaining support for global analytics.
Skyflow Data Privacy Vault Gives You Scalability and Global Analytics
With sensitive data isolated in multiple regional data privacy vaults, Skyflow provides a cost-effective and scalable solution to support data residency. Instead of replicating your entire infrastructure in each country where you operate, you can store the sensitive data that is subject to a country’s data residency requirements in a data privacy vault located in that country.
Let’s revisit the example above, and consider how a company that operates in the EU and China could use a data privacy vault to meet data residency and other requirements in both markets:
This solution is not only faster to deploy in new markets, it’s also more cost-effective and supports global analytics – addressing all of the drawbacks of the geo-duplicated architecture shown previously. And because only non-exploitable vault tokens – not encrypted data – are sent from China to the global data center, this approach lets you keep sensitive data in China, instead of requesting (unlikely) approval from the CAC for cross–border data transfers.
From easing PIPL, CSL, MLPS 2.0, and ICP compliance to protecting sensitive data and enabling global operations, Skyflow is your partner in navigating the intricacies of operating in China in full compliance with data residency and other data protection laws.
If you’d like to learn more about Skyflow for China, please contact us.