David Uberti writing for WSJ Pro (paywalled):
The Personal Information Protection Law, or PIPL, unveiled Friday imposes rules on how companies can use Chinese citizens’ data and the conditions firms must meet to share information with computer servers or business partners outside the country. That could have a significant impact on international data flows as more countries erect digital trade barriers to protect citizens’ privacy or national security, privacy and legal experts say.
Companies that wish to transfer information internationally will have to use state-approved contracts, receive certification of data practices by a state-approved body or undergo a security review by Chinese cyber regulators, said Barbara Li, head of corporate at the Rui Bai Law Firm in Beijing.
The reason I have linked this here is the evolving landscape around the international data transfers. Traditionally, most user data is sent to the US- for example, you have to look at how Apple sends everything to its servers in the US through network monitoring tool. They don’t even hide this fact. Although they localise it in China, the debate is muddled to confuse readers not versed in the nuances of the international law.
Data federation is gaining traction, and regulators can allow data exchange without violating user privacy. The exact contours are unclear but here’s something from the write-up:
The Chinese law opens the door for Beijing to strike international deals that enable some data flows, according to a translation by the DigiChina Project, a tech policy center at Stanford University. But unlike the GDPR, which gives power to the European Commission to evaluate other countries’ privacy protections, the Chinese statute doesn’t detail a similar process for establishing that other foreign safeguards meet local standards.
As for countries that curb data flows into China in the name of privacy, the law says, Beijing could reciprocate with digital trade restrictions of its own.
This is an interesting development – I foresee healthcare applications will require a clear mandate in the future. More so, because there might be a possibility that companies might look at shipping algorithm development to third parties.