S2 #17 Your shield and sword for China’s data privacy law

S2 #17 Your shield and sword for China’s data privacy law

S2 #17 Your shield and sword for China’s data privacy law

Phil Bezanson

Phil Bezanson

Phil Bezanson is Managing Partner of Bracewell LLP’s Seattle office and co-host of the Bracewell Sidebar podcast.  Bezanson primarily represents companies, senior management and boards of directors as well as individuals in internal investigations, regulatory enforcement, and complex criminal and civil litigations.

On November 1, 2021, China’s data privacy law (Personal Information Protection Law, or PIPL) goes into effect. The law supplements existing privacy rules established by the Data Security Law and Cybersecurity Law. With a focus on personal information protection, the law sets comprehensive rules for companies on how to process personal information of individuals, and regulates the lifecycle process of handling personal information, including collection and storage. Phil Bezanson of Bracewell, LLP helps us understand the new law and what corporation ought to do to address the risk and opportunity arising from PIPL.

data privacy, PIPL, Personal Information Protection Law, data protection, data privacy, China, cybersecurity law, data security law, data enforcement, data localization
Episode number:
Date Published:
October 21, 2021

INTRO: [00:00:00] Welcome to the Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:20] KRISTINA PODNAR, host: Welcome to another engaging episode of the Power of Digital Policy. I'm glad that you've joined me today because we are going to hear my new friend here, Phil Bezanson, whose last name I just tried to pronounce correctly. He's going to tell me if I got it wrong. I think he's shaking his head already.

[00:00:34] PHIL BEZANSON, guest: You got it right.

[00:00:35] KRISTINA: I was like, it's just, it's literally, it sounds as if it's, as it's spelled, there's not a lot of trickiness to it.

[00:00:41] PHIL: Shockingly boring.

[00:00:42] KRISTINA: Yeah. Well, that's all right. I must admit, though, that I don't think that you're that shockingly boring. But I do want to tell my audience that you are a managing partner at Bracewell LLP Seattle office co-host of The Bracewell Sidebar podcast. You also represent companies, the senior management board of directors, as well as individuals in internal investigations, which sounds scary; regulatory enforcement in complex criminal and civil litigations. What do you really do all day, Phill?

[00:01:10] PHIL: Frankly, I sit in front of a computer all day, and I talk on the phone all day. So, it's, on a day-to-day basis, it's, a lot more basic than you presented, but I mean, the problem and challenges are varied, and they are interesting, and some can be quite troubling for the people I work with. But it's a big picture. It's all about problem-solving and working with people to get through difficult situations, either difficult situations that they've uncovered on their own or difficult situations that have been brought to their doorstep. Litigants by governments, by agencies, regulators, or other outside actors that mean to be disruptive or worse.

[00:01:54] KRISTINA: Well, one of those disruptions is China's new digital privacy law, the personal information protection law, also known as PIPL. And so, I tapped you on the shoulder because we need to learn all about this. And I think a lot of folks need to learn about it very quickly because we're coming up on an enforcement deadline. Tell us more about this new protection.

[00:02:15] PHIL: Sure. So, business, something that's been in the works for quite some time in China, and I think it's been; it was finalized at the end of August. And it's a go-live date such as it is, is November 1st. So, November 1st is when companies are going to have to really start to have their programs in place and be ready to manage, but the new requirements that china is expected of organizations that operate both inside China and outside China really to the extent that they touch any data that would be deemed personal information of Chinese citizens. But you know, it's funny, you use the word enforcement as a hook here and. It's fascinating that you said enforcement because that's one thing that we know nothing about right now, which is how this piece of legislation is going to be enforced. When it's going to be enforced, who's going to be doing the enforcing, and what the enforcement might look like. So, a lot of questions. And there are, as I understand, various stakeholders in China that are working through sort of the nuts and bolts of how this thing is going to be put into practice. What exists right now is a framework of kind of guidelines and warning shots, and expectations. And that's kind of where it is, right. And yeah, we can talk a lot about those warning shots. But I do think that in terms of timing, well, people and organizations should start complying soon. And there is a November 1st start date for compliance expectations. I don't think we're going to see enforcement activity starting on November 2nd. But who knows? There may be some things that are pre-baked that China's planning to be aggressive about. That's, obviously one of the large unknowns with thinking about all kinds of policies and regulations and laws that you see coming out of China,

[00:04:27] KRISTINA: would you equate this new protection law along the lines of GDPR? When GDPR came into effect on May 25th, 2018, we knew that there was a framework, but we didn't quite understand how it was going to be enforced, and to a great degree, we're still trying to debate the nuances, and a lot of times, there's this notion of like, yeah, there's a child's protection aspect of GDPR, but then we default to every member's local laws, if you will, for some interpretation, is that kind of what we're looking at?

[00:04:56] PHIL: I think that we're not even there yet. When GDPR went live, there was a lot written about it. There was a lot that was planned and set out, and you're right to refer to all the different local authorities that were set up and were in place to do things when GDPR went live. I have this sense that a lot of that is present right now with China. And although I do think, in terms of planning and preparation, organizations that have a mature GDPR internal program set of policies, data mapping capabilities, those organizations are going to be far better prepared to deal with the Chinese privacy law than organizations that are not steeped in GDPR compliance and GDPR familiarity.

[00:05:57] KRISTINA: That's interesting. What you just said is those. Have already become compliant with GDPR, we'll be prepared to deal with this Chinese new law, but you didn't say, oh, you'll be fine. You just must extend it or apply to China. So, there are some nuances there that I'm assuming, or there are some differences or enough for you to say that you'll be prepared but not ready to just kind of roll into China and operate under the existing GDPR framework. Do we understand some of the differences there yet, or is it very grainy?

[00:06:27] PHIL: Yeah, I think the thing that is going to be most interesting to see as someone with a little bit of arm's length distance to the problem versus an organization that's going to have to jump in and be compliant are the obligations to have either a presence in China that is certified to manage data of Chinese citizens or to have some other mechanism in place for being in China to be compliant if you're going to do any sort of cross border data transfers, GDPR has in sort of broad terms is very reactive to something happening. I mean, most GDPR enforced issues arise from an individual coming into some sort of conflict; however, minimal with an organization that has the individual's data that may or may not be managed correctly. And then, it gets routed through the different local authority compliance or enforcement mechanisms. And certainly, the data mapping capabilities that a company must deal with GDPR will be very, very, very helpful in dealing with China. In China, however, there, there is an expectation that if you're going to have Chinese data, the data should stay in China, and it should be housed in some fashion by an entity that meets Chinese approval. If you already have data that are outside of China. That's okay. But if you're going to move it around, you'll also have to demonstrate to China that you are sort of worthy of having this data and are handling it responsibly.

[00:08:19] KRISTINA: Is there a place, if you will, if you already don't have your data stored in China, because you're doing business outside of China, but you're doing it with Chinese citizens. Is there a place that you should think about placing your data right now in preparation for this law? Thinking about GDPR, for example, some companies chose to move their data into the EU, or at least somewhere in the EU or into a country that would be friendly towards the EU. Should you be doing something like that for this Chinese law?

[00:08:47] PHIL: Well, I think there are two different ways to approach this one for organizations that are already sort of outsourcing a lot of data management to cloud services providers. And you can, you can be confident that the cloud providers are all over this and are thinking about it very carefully and how to, how to manage it. So, it's probably worthwhile having conversations with cloud services providers that you already use about this. If you're not using a cloud service provider and you have Chinese data, then really the question is, what are the business hurdles to establishing a presence in China that can manage data? Because that's not something that you can just flip the switch and do overnight. Or, if you're going to keep data where it is or keep it in a manner where it's kept, what can you do to ensure that the data mapping really is solid so you can isolate it if you need it. And what sort of protection can you put in place to demonstrate that the data is being kept appropriately private and protected, and again, can be accessed and moved around by a Chinese citizen, if a Chinese citizen so chooses to add access data and request its return or request its portability or something that would be covered by the new legislation.

[00:10:13] KRISTINA: And I heard from somebody, I don't know how accurate this is. You're the expert in this area, but a colleague of mine had mentioned that there might be a stipulation in this law as well that you need to be mindful of infrastructure data. So not necessarily. That belongs to a citizen, but data that would point back to China's infrastructure or information would sort of identify government aspects or operations as well. So, is this a situation where there's a distinction between China's new law and GDPR where there's a focus on more than just citizen data?

[00:10:46] PHIL: Well, it's funny there they're three different pieces of Chinese legislation that have kind of all hit roughly at the same time. And there is specific legislation that focuses more on general data transfers and then also on some specific industry-based data. So, all three of these items are converging right now. And different legislations can overlap in some respects but are unique in some respects as well. And they include some fairly broad catch-all terms. So, it, it wouldn't surprise me if one or more, or if not all three pieces of this recent Chinese-led legislation touched on things beyond specific personal private information. It's certainly safe to assume that additional types of data are relevant. And again, as the details of supervision assessment enforcement get developed in the months or perhaps years ahead. I'm sure we'll learn a whole lot more about what kind of data is most interesting or going to condor the most scrutiny under this sort of web of data monitoring or data protection.

[00:12:05] KRISTINA: Historically, we've seen in China, individual corporate managers, CFOs, CEOs put in jail for things like transferring sensitive data that shouldn't be transferred outside of the country. Do you think that we'll start to see some of that type of action under this law or related to this law?

[00:12:26] PHIL: Certainly possible. I'm not sure individual corporate wrongdoers are the primary target of this legislation. Certainly, large technology companies that do a lot with large volumes of data are the focus here. I think they're also a couple of fairly clear national security implications with this legislation about the sort of trying this expectation for reciprocity or China's ability to act beyond a specific company at issue if it feels that the laws or rules aren't being followed. But, but I would, I would think the folks who would want to pay the closest attention to the details and to adhere to the detail we'll be the folks working in China, primarily on behalf of non-Chinese companies, helping non-Chinese companies comply.

[00:13:34] KRISTINA: So, what should those folks be doing right now? I'm thinking, at every level of the organization, it sounds like we need to get ready. So, thinking about it from the board of directors' level down, and the board members may not sit in China, they might be outside of China, but what should those folks be doing at the different levels board of directors, senior management, all the way down to folks who might be sitting in China and taking care of digital operations?

[00:13:57] PHIL: Well, taking a step back. I'm not giving any specific legal advice here.

[00:13:59] KRISTINA: I was waiting for that!

[00:14:02] PHIL: I tried to wait. I tried to wait for as long as possible within disclaimers and be sort of a Dowdy lawyer, but I'm now getting, I think, look, it's a great question. And obviously, the thing to do is identify the laws figure out how to comply with the laws, figure out how to make sure you can demonstrate you're compliant with the laws. That's sort of the most basic thing that an organization should think about, but it also, it's, it's helpful and important to know who you're working with. Particularly if legislation like this prompts organizations to forge new business relationships in areas where they haven't had business relationships in the past to really know who you're working with, make sure there's transparency, make sure there's appropriate supervision and communication. Just because it, when there are countless examples certainly examples of non-Chinese companies doing business in China, where employees operating in China have gotten into trouble and have gotten there, non-Chinese employers are into trouble for doing things that they maybe shouldn't do.

[00:15:25] KRISTINA: Do you think there's such an incentive for some organizations or some entities to pull out of China in terms of physical presence? I'm kind of thinking back to when Russia implemented its blogger laws and Intel pulled out of Russia and said, you know what, we're just going to host everything outside of Russia. And there's not much that you can do about it. And we're still going to welcome Russian blogger data on our servers. We're going to host that information, including personal information outside of Russia, and not much you can do about it. Sure enough, the world went on. Is that an incentive for folks who maybe provide online services or things that don't necessarily have to have a physical presence in China?

[00:16:07] PHIL: Yeah, I think it's possible, but I, I think it's a lot harder to disentangle, I think from China in the technology space than maybe it was in that example with Russia. I mean, so many technology companies already have healthy commercial relationships with businesses in China, either on the manufacturing side or on the customer side. And it's it; my guess is that we're not going to see very many organizations moving away from China. I think there's; we're going to see more the organizations that are there and are committed are, are going to try to do their best to figure out how to, how to work through this.

[00:16:54] KRISTINA: Do you think that we're going to see more of that just in general, more types of laws like this coming around the world, individual countries and having to stand up individual solutions per country or is there an opportunity to kind of scale somehow, cause I'm looking at this and it's a question I get all the time. Folks say, well, I must do GDPR. I must comply with CCPA. I must comply with POPIA in South Africa; we have a separate law in Brazil. Canada has its own flavor. So, this is flavor number 37 at Baskin Robbins in China. The next one's coming; the economies of scale aren't necessarily there. And yet, when we think about digital, it is a borderless world. Is there advice to companies, or is this just the new reality that we're living in, and they should adjust?

[00:17:36] PHIL: I think it's absolutely the new reality in the analog that I point to when I have conversations, like, like the ones that you're talking about are the data breach reporting requirement laws in the United States. Now a fair amount of my practices in the cybersecurity space, working with companies in response to data breaches or other activities. And one of the startling realities that organizations face when they're the victim of a data breach is that depending on the individuals whose personal information is impacted; there may be 50 different states that need to be notified in some way, shape, or form or individuals in each of the 50 states need to be notified. There were subtle variations in some cases, not-so-subtle variations along with those reporting requirements. And it's crazy that that's the case, but that's the case. And if the 50 states can't, from their legislators' perspectives and their governor's perspectives and their attorney's general perspectives, can put their heads together to figure out, what could we come up with as a uniform data breach report legislation and just have every state passed the same thing. Yeah. Now that's not what happened, and it seems unlikely that that's going to happen. So yeah, it even further removed to imagine different countries coming up with a kind of uniform set of data privacy requirements and know how to, how to set that out and make it easy for organizations that operate globally to have a one size fits all solution.

[00:19:23] KRISTINA: In this new complex world, what does that look like when companies get entangled in a data breach situation? I'm thinking about this because I thought you brought up a really great example of a data breach, and there's a heavy focus, at least under GDPR, that we see as far as breaches go. I imagine China is going to be the same thing, but you have a lot of breaches, and some of them are pure because of monetary reasons, but some of them are political. Do you think that China's going to start using sort of this new law to penalize companies and sort of, make, do on things that are aimed more at the US government rather than at the companies themselves? Is that a lever that they might be pulling at some point? Or do you think that the law itself is just truly based on economic and personal data interest?

[00:20:11] PHIL: Trying to predict what will happen, trying to predict the right answer to your question is it isn't easy. I, can I, let me put it this way? The way the law is written, as it appears to be, I don't think it would be impossible for China or some Chinese enforcement entity to use the law in some way, shape, or form in the event of a data breach where Chinese data held outside the US was compromised. So, is that a primary purpose of the law? I have no idea that it doesn't appear to be, but it also doesn't preclude any entity within China from doing something in this situation.

[00:21:00] KRISTINA: And we talked a little bit about who the law is aimed to protect, right? So including during a cyber event of whatever sort it could happen, but we talked about it applying to Chinese citizens, and it's applicable to companies that are doing business in China, whether they're physically in China, outside of China, does the law also protect Chinese citizens when they're traveling abroad or if they're living abroad or is it strictly within the actual borders of the country?

[00:21:28] PHIL: That's a good question. I don't have that at my fingertips, but my guess is that it does because it is, well, it certainly could because it is written broadly in a way that if data impacted is relevant for some national interest purposes, then the law applies. So even if it doesn't explicitly speak to Chinese citizens living abroad, traveling abroad, whatever, if, in the event, some data is mismanaged or both handled or improperly stored or sent in one of those circumstances and that data at issue happened to be important for national security purposes, or it could at least be articulated as important for national security purposes. Then I think whoever is tasked with enforcing this law would raise their hand and say, yes, we have jurisdiction, we have the reach, we can do something about it.

[00:22:28] KRISTINA: I was wondering about that because I often tend to kind of look to GDPR and say, no, are they trying to also protect the citizens of EU citizens who are traveling outside of the EU, but that doesn't seem to be as heavily of an interest. And perhaps it's because, again, it's a glomerate of, of states rather than a single state with a single kind of idiom or interest in protecting their own national security. Well, what is the next big thing then that you think organizations should be thinking about? We have this law coming into effect, right? We're in the vinyl countdown. It's going to take a while to get all the details worked out. It sounds like we need to kind of adopt a, do things to come into compliance, but also wait and see methodology here. Other things that folks should be doing tactically to get prepared. You think beyond just sort of extending the same kind of practices they had for GDPR, even maybe CCPA to China mapping data, making sure that they're practicing good cyber safety hygiene. What else should they be doing anything?

[00:23:25] PHIL: I think that the data mapping component is probably the most important because if, if you can, if you can overcome the hurdle of being able to at least isolate and identify the actual data that's relevant for this law, for when it comes into for when it goes live for when it may be, more thoroughly regulated or enforced and just understanding how, where that data is, how that data is being managed and how it can be dissected and extracted and moved around if necessary. We'll just give organizations; I would think, the most flexibility to respond to; however, things play out.

[00:24:10] KRISTINA: That's great. Well, Phil, I have to say, I'm very curious to see how this is all going to unfold, and I'd appreciate it if you come back and tell us some more, as we start to learn more details and I trust that you'll be on the cutting edge of that.

[00:24:22] PHIL: Yeah. I'm happy to come back and share more and hopefully share some, actual concrete details of, of what happens in who's going to do what and to whom and when, and yeah, in an uplifting, an optimistic view of things. Hopefully, it's all, just global geopolitics posturing stuff, and companies will be able to go about their business and not be too worried about this.

[00:24:50] KRISTINA: Well, I don't know. I suspect that you're going to be in business for a while with that these types of events going on. So, I maybe have a little bit more pessimistic, but I see GDPR, with maybe some more wild enforcement, but that's also the naysayer and me. Thanks for taking the time. This has been awesome. I really enjoyed the conversation, and I appreciate you making the time.

[00:25:11] OUTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.

You can reply to this podcast here: