Regulators copy EU personal information protection regs – but add more muscle

Regulators are strengthening personal information (PI) protections.

On November 22, the cyberspace administration (CAC) released draft regulations governing PI protection at “large-scale online platforms” – those with over 10 million monthly active users (MAU).

• The regs closely follow EU rules for PI protection and management for online services with over 45 million MAU.

However, there are a couple of critical differences.

First, the CAC has stronger data localization rules. Like the EU regs, platforms must designate a senior person to manage PI – but this person must be a Chinese citizen without a long-term residence permit in a foreign country.

• On top of that, data centers storing PI must be local and also managed by a Chinese citizen without a foreign residence permit.

Second, the CAC can force companies to store data with a third party. If a platform cannot guarantee PI security, authorities can mandate storage with a service provider that meets regulatory requirements.

• EU rules have no such provision.

Get smart: These rules didn't come out of the blue, and large foreign platforms like Apple, Microsoft, and AWS have already taken big steps to localize data.

• Nonetheless, these regulations, should they come into force as written, will increase compliance costs.

Get smarter: These regulations will make data exports more difficult. That will disadvantage foreign firms that would prefer to use centralized analytics dependent on the free flow of data.