Last week, the U.S. government announced it was examining potential national security risks in Alibaba Cloud, focusing on “how Alibaba Cloud stores U.S. clients’ data, including personal information and intellectual property, and whether the Chinese government could gain access to it.” This extends both to the Chinese government seeking to view data or Americans being disrupted from accessing their own information stored on the cloud.
Multinational companies operating in China use Alibaba Cloud to store and manage Chinese citizen data. They typically use Western SaaS software and clouds to manage Western data. The Biden administration investigation is about U.S. citizen data on Alibaba Cloud. As such, multinational companies should have no concerns about continuing to use Chinese vendors to store Chinese citizen data.
The Chinese government spent much of 2021 finalizing its new data regulations, the Personal Information Protection Law (PIPL), and trying to rein in businesses that had improperly handled individuals’ data previously. With much of the summer focused on these issues and a historically short turnaround from the time from the law passing to being enacted—just 3 months, from August to November—it is clear that data residency is an area the Chinese government sees as a strategic advantage.
China is simply implementing data residency because that’s the popular and useful thing to do at the moment. The EU kicked off the current surge in data protection with the GDPR, but in the six years since its passing, the GDPR has routinely been knocked, even by EU officials, as lacking enforcement. China, as well as other countries that have passed or will soon pass data regulations, are naturally correcting that problem by making stricter legislation that emphasizes data residency as a key element of data protection.
PIPL will make data localization—or the need for companies to store and process sensitive data only within China—a virtual necessity in time, but again, that is not unique to China, with data localization mandates gaining popularity across Asia and Africa. PIPL also includes stronger individual rights, another trend in recent data regulations, which emphasizes consent. Individuals can access what info is stored on them, ask for info to be deleted, and withdraw consent at any time.
We at InCountry support countries mandating data privacy regulations for their citizens, and mandating that citizen data does not cross borders without explicit privacy guarantees. We will continue to work with Alibaba Cloud to help multinational companies manage Chinese citizen data in China.