I was recently quoted by the Global Data Review publication in relation to the new Personal Information Protection Law (“PIPL”) in China. My comments were in relation to the practical implications of the new laws and how companies in China should prepare for them.

Although PIPL and the other newly enacted regulation the Data Security Law (“DSL”) have both been hotly anticipated given that both went through multiple drafts and for public comments over the past year or so, and the fact that their impacts are very far reaching, many companies are still very much unprepared for data compliance. Most is due to the still lack of detailed requirement regarding data localization, and which sub-category of business operations fall under the classification of CII and so on. Companies operate in China, and not just big tech companies who will feel the most pinch from this, are concerned about if data can still be exported out of China for business operation purposes and responding to regulatory enquires, and whether data should in fact be localized with physical servers, data centers and cloud based operations relocated to China. Many of these questions will hopefully receive further clarifications once the laws are in effect and the relevant local regulators release further guidance and interpretation of their requirements.

It's worth noting that the exact texts of the PIPL have not been released, it'd be interesting to see if it has further surprises in store. 

Surprises or not, the new era of data compliance has truly begun.