China Data Privacy Laws
Data Privacy, State Secrets Laws & “The New Regulations”
Historically, Chinese data privacy laws have been considered complex and somewhat vague. According to the law firm White & Case, China does not currently have a national, comprehensive legal framework to regulate the use and disclosure of personal data. And more than 200 local and provincial data privacy laws add a layer of complexity to the fold. In addition, sweeping State Secrecy laws permit national security to be used as the rationale for almost any measure pertaining to data privacy and the Internet/cloud. This environment has created a web of confusion and compliance risk for enterprises interested in international cloud adoption. Questions regarding who has access to cloud data when it moves outside of China greatly complicate an enterprise’s cloud strategy.
Concrete steps are being made to fine-tune Chinese regulations, especially in the area of personal information and the internet. In March 2012, MIIT issued the “New Regulations”, which include significant new data protection requirements applicable to Internet information service providers (IISPs). But while Chinese privacy laws and regulations are becoming more fine-tuned, they are not becoming less restrictive. An active solution to ensure compliance will continue to be a critical requirement for all cloud implementations.
The Blue Coat Cloud Data Protection Gateway lets Chinese enterprises define their data protection policies to ensure that sensitive data is appropriately secured and protected in cloud applications. Authorized administrators can select, on a field-by-field basis, whether to allow a field to remain in clear text, to encrypt field data, or to replace data with a token. When using tokens as an obfuscation method, sensitive data never leaves the organization’s control in any format – making it particularly useful for organizations that need to adhere with China’s State Secrecy laws.