Navigating China’s PIPL Requirements: How to Unlock China Go-to-Market

November 12, 2024

Maintaining compliance with local data protection and data residency laws can be a formidable task for global companies, particularly in regions with stringent data protection laws like China. The Personal Information Protection Law (PIPL) and other regulations in China set rigorous standards for handling personal information (PI) collected from individuals, as well as other types of important data. 

In this post, we show how companies can address these challenges by leveraging AWS infrastructure in China in combination with Skyflow Data Privacy Vault. We’ll explain the data privacy vault approach, what problems it solves, and do a deep dive into how this eases PIPL compliance. Finally, we’ll share practical advice for companies looking for the best way to manage compliance with PIPL or other data protection laws.

The Technical Challenges of Compliance in China

China's data laws are comprehensive and cover how sensitive data is handled, how it's encrypted for protection, and how networks and websites operate within the country.

Key points include:

  • Sensitive Data: The Personal Information Protection Law (PIPL) and Cybersecurity Law (CSL) identify sensitive data types and set rules for how this data should be collected, stored, and used.
  • Encryption: The country requires the use of specific encryption methods under its Commercial Encryption Regulations.
  • Networks and Websites: The Multi-Level Protection Scheme (MLPS 2.0) sets cybersecurity standards for network operations. Websites with China-based domain names and IP addresses must have Internet Content Provider (ICP) certification.

Clearly, China's regulatory environment is multifaceted, there’s a lot to potentially navigate to meet regulations. For example, China’s set of Commercial Encryption Regulations has strict standards in terms of which encryption libraries are used and how long the encryption keys are. This means that any software or services you use that utilize encryption must be designed (or redesigned) to meet legal requirements in China, and that encryption keys for any encrypted data collected in China must remain in China.

Meeting this combination of technical requirements poses significant challenges for even the largest and most technically sophisticated companies.

Why You Should Avoid Cross-border Data Transfers

Compliance with China’s regulations goes beyond where your servers are located; it involves governing the location, handling, and use of a wide array of data that’s collected in China. The “important data” that’s protected by CSL is expansively defined by the Cyberspace Administration of China (CAC) as “any data that, if tampered with, damaged, leaked, illegally obtained or used, may jeopardize national security or public interests.”

This wide-ranging definition creates uncertainty for any company that’s planning to transfer data collected in China outside of the country. To avoid this uncertainty, and the possibility of significant fines or other sanctions, it’s best to keep both of these types of sensitive data within China. 

What is a Data Privacy Vault and How Does It Help?

Skyflow is a data privacy vault, which isolates, protects, and governs sensitive data (including customer PII) while facilitating region-specific compliance through data localization. When used properly, all sensitive data is transformed by the vault into non-sensitive de-identified data, taking the existing application infrastructure out of scope for data security and compliance. The de-identified data, in the form of vault generated-tokens, is passed along and stored within traditional application systems like the database and various logging systems, behaving as a reference or pointer to the original data.

Traditional data security versus a data privacy vault (Source: IEEE)

The vault architecture vastly simplifies the complexities of data residency, data security, and compliance. A data privacy vault not only decreases the scope of compliance, it also improves auditability because the data privacy vault keeps track of all sensitive data access and use.

Skyflow Data Privacy Vault is ISO 27001 Certified, SOC 2 Type 2 Certified, PCI Level 1 Certified, HIPAA Assessed and Eligible, and GDPR Assessed and Compliant. Additionally, a Skyflow vault runs on AWS, and it takes advantage of AWS’s large number of regions and availability zones. This allows any Skyflow customer to deploy vault instances in various regions around the world.

Skyflow’s solution for using sensitive data in China leverages AWS to provide:

How Skyflow and AWS Built an Architectural PIPL Solution

Skyflow's collaboration with AWS plays a pivotal role in overcoming the unique challenges posed by China's regulatory environment. AWS China regions provide extensive infrastructure support that eases compliance with China’s data protection laws so that businesses have the tools they need to thrive in China.

How Does Skyflow's AWS China Solution Work?

Skyflow’s solution for unlocking go-to-market in China is built on AWS China region support and the data privacy vault architectural pattern. Deployment of a Skyflow vault in China is within a customer’s account running in the cn-north-1 region.

With a data privacy vault, companies can isolate, protect, govern, and localize sensitive data, making it an ideal choice to manage data residency in China to ease compliance with PIPL, CSL, and the other requirements listed above.

How does this work? With a data privacy vault sensitive data is: 

  • Isolated: When data is isolated in a data privacy vault, it becomes easy to keep that data within national borders, while supporting global analytics through sophisticated tokenization techniques. This also avoids one of the major issues with data security: sensitive data sprawl. Data sprawl occurs when sensitive data like names or social security numbers are replicated from one system to another, increasing the amount of infrastructure that’s subject to compliance requirements.
  • Protected: To secure sensitive data requires a combination of encryption and tokenization. Encryption protects the sensitive data that are isolated in a data privacy vault, while tokenization provides stand-in “tokens” that correspond to this sensitive data. Tokens can be stored throughout your infrastructure because well-designed tokens have no exploitable value
  • Governed: Access to sensitive data is controlled using a combination of zero trust architecture and fine-grained access controls. These access controls provide only the minimum amount of data that’s required for business-critical workflows. Skyflow’s data governance also includes extensive monitoring and audit logging capability.

Imagine we have a web application with the following simple architecture running on AWS in us-east-1. 

Simple web application and backend system running in AWS region us-east-1.

If I also need to support China, then I’d likely need to replicate all of these services within a region in China, creating a duplication of the us-east-1 infrastructure.

Duplicating the web infrastructure across two regions.

This isn’t ideal as I now have two separate regions to manage these services across. Additionally, I can’t run global analytical queries against Redshift because the customer data is siloed within each Redshift regional instance.

We can solve both of these issues by using Skyflow vaults deployed to us-east-1 and cn-north-1. Now the regulated data is siloed off, but the other systems that power the application can run within any region. Operations like analytics and data sharing can rely on the de-identified forms of data, they don’t need the raw customer PII.

Example of one web application infrastructure but many vaults.

By separating data infrastructure from the sensitive data that are subject to data residency requirements, companies can keep any sensitive data that originates in China protected within a regional data privacy vault that’s located in China. This approach not only addresses the requirement that sensitive data is stored in China, it also addresses the requirement that data processing (including compute) occurs in China.

Bringing It All Together

In conclusion, the collaboration between Skyflow and AWS offers a comprehensive solution to navigate China's intricate data compliance landscape. By keeping PII and important data governed by PIPL and CSL within China using a data privacy vault, companies can effectively protect sensitive data and accelerate compliance efforts without losing the insights provided by global analytics. This approach not only aligns with regulatory requirements (including the EU’s GDPR) but also provides for scalable and efficient global operations.

Learn more about how your business can scale globally without compromising your data compliance posture.

Keep Reading

Data Privacy Vault
Data Residency
October 28, 2024

India SEBI's New Cybersecurity and Cyber Resilience Framework: Data Protection Strategies for Regulated Entities

Learn about SEBI’s new Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities in India. Discover key data protection strategies for compliance and enhanced security.
Data Privacy Vault
February 1, 2024

Solving The Austin Problem with a Data Privacy Vault

Data anonymization and tokenization are key to protecting sensitive data, but traditional tokenization often falls short, breaking workflows and complicating security. This post tackles the "Austin Problem"—a flaw in conventional tokenization—and shows how a data privacy vault solves it.
September 11, 2024

De-scoping Your AWS Services from Data Residency Requirements

Discover how global privacy regulations like GDPR, LGPD, and India's DPDP law impact data residency and compliance. Learn how companies can overcome these challenges using a PII data privacy vault, simplifying data security for seamless global expansion.