Making Cloud Adoption In China A Reality (In Spite of Data Privacy and State “Secret” Laws)

Making Cloud Adoption in China a Reality (In Spite of Data Privacy and State “Secret” Laws)

Cloud computing has become a hot growth area in China, driven by both large-scale government initiatives and private investment. However, as alluring as the cloud is in China, for foreign firms trying to do business there, the uncertain legal environment can create a number of serious challenges.

Comprehensive, national regulations on data privacy remain in the draft stage, so for now, data privacy rules are “vague” and are often at the mercy of government interpretation. The legal framework for cloud services is flexible to the point of being unpredictable, especially since the Chinese government may claim national security as a rationale for almost any measure pertaining to data security and the internet/cloud. Sound intimidating? It can be, but “forewarned is forearmed,” so here are two key areas we all need to consider before jumping into the cloud in China.

Data Privacy Laws

No single national data privacy law exists in China, but working group recommendations are making their way through the national process. For example, the Ministry of Industry and Information Technology has issued a draft Information Security Technology – Guide of Personal Information Protection. But, until any recommendations become national law (and to some degree thereafter), there are over 200 local/provincial laws and sector-based regulations for businesses to navigate.

For example, take the Banking Law. Last year, People’s Bank of China (PBOC) issued the “Notice to Urge Banking Financial Institutions to Protect Personal Financial Information,” forbidding banks from storing or processing financial information obtained in China outside of the country. And financial information is defined as/includes: personal identity information, personal property information, personal account information, personal credit information, personal financial transaction information, derivative information; and other personal information acquired or stored in the process of developing business relationships with individuals. Basically, everything!

The good news at least is we’re getting closer to a national law. There is a convergence of new and revised privacy law provisions around the APEC privacy principles, a step in the right direction. But one area where significant differences still exist is in cross-border requirements. This issue, in particular, has proven to be a thorny challenge in other regions around the globe and it will undoubtedly continue to be a hot topic in China. When sensitive data flows across borders (as in the case of a China-based organization using a Western cloud service provider), questions such as “Where is my data located, both in production and in disaster recovery scenarios?” “Individuals with what citizenship have access to my data for hygiene and maintenance?” “Whose jurisdiction and laws apply to data traversing Chinese borders?” etc., complicate any cloud adoption strategy.

Dealing With “State Secrets”

Another key issue to consider is China’s focus on protecting “state secrets.” Chinese authorities are extremely concerned by the types of data transferred via the internet/cloud and the potential threats such transfers may cause to State security.

The Chinese State framework was revised by two important pieces of regulation:

  • Production, reproduction, access, dissemination and transfer of data out of China that may disclose state secrets are strictly forbidden.
  • Chinese authorities have broad discretion to determine the scope of State secrets

And consequences of violations can be significant: individuals employed by foreign companies in China have been known to actually be imprisoned. To further complicate secrecy matters, if data is suddenly considered a secret, that ruling is retroactive to all existing data: information currently stored in the cloud is now potentially in violation of the law.

So where does this leave us? Up a global business “creek” without a single, compliant paddle? Actually, there are in fact lifelines. Tokenization lets enterprises take advantage of the cloud and remain within jurisdictional/regulatory guidelines by ensuring that specified data stays resident, within control of a company’s home-based infrastructure. With tokenization, what travels to the cloud are random tokens as opposed to actual data – so information is undecipherable should it be hacked or improperly accessed. This allows companies to adopt cloud applications and uphold data privacy and compliance rules – even if there are 200 laws to consider. And employees accessing the protected cloud data can enjoy cloud application functionality and the same user experience on tokenized data as with the standard cloud SaaS application.

The key is to do your homework before diving into the Chinese cloud landscape. Because, while it’s clear that in order to keep pace with an ever-changing global economy, businesses have to keep pace with China, it’s also clear this is going to be a marathon – not a sprint.

By David Canellos

David Canellos is the CEO of PerspecSys, a leading provider of cloud data residency and security solutions for the enterprise.

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

Sorry, comments are closed for this post.

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Once upon a time, only a select few companies like Google and Salesforce possessed the knowledge and expertise to operate efficient cloud infrastructure and applications. Organizations patronizing those companies benefitted with apps that offered new benefits in flexibility, scalability and cost effectiveness. These days, the sharp division between cloud and on-premises infrastructure…

Do Not Rely On Passwords To Protect Your Online Information

Do Not Rely On Passwords To Protect Your Online Information

Password Challenges  Simple passwords are no longer safe to use online. John Barco, vice president of Global Product Marketing at ForgeRock, explains why it’s time the industry embraced more advanced identity-centric solutions that improve the customer experience while also providing stronger security. Since the beginning of logins, consumers have used a simple username and password to…

Protecting Devices From Data Breach: Identity of Things (IDoT)

Protecting Devices From Data Breach: Identity of Things (IDoT)

How to Identify and Authenticate in the Expanding IoT Ecosystem It is a necessity to protect IoT devices and their associated data. As the IoT ecosystem continues to expand, the need to create an identity to newly-connected things is becoming increasingly crucial. These ‘things’ can include anything from basic sensors and gateways to industrial controls…

The Fully Aware, Hybrid-Cloud Approach

The Fully Aware, Hybrid-Cloud Approach

Hybrid-Cloud Approach For over 20 years, organizations have been attempting to secure their networks and protect their data. However, have any of their efforts really improved security? Today we hear journalists and industry experts talk about the erosion of the perimeter. Some say it’s squishy, others say it’s spongy, and yet another claims it crunchy.…

Your Biggest Data Security Threat Could Be….

Your Biggest Data Security Threat Could Be….

Paying Attention To Data Security Your biggest data security threat could be sitting next to you… Data security is a big concern for businesses. The repercussions of a data security breach ranges from embarrassment, to costly lawsuits and clean-up jobs – particularly when confidential client information is involved. But although more and more businesses are…

Connecting With Customers In The Cloud

Connecting With Customers In The Cloud

Customers in the Cloud Global enterprises in every industry are increasingly turning to cloud-based innovators like Salesforce, ServiceNow, WorkDay and Aria, to handle critical systems like billing, IT services, HCM and CRM. One need look no further than Salesforce’s and Amazon’s most recent earnings report, to see this indeed is not a passing fad, but…

Digital Twin And The End Of The Dreaded Product Recall

Digital Twin And The End Of The Dreaded Product Recall

The Digital Twin  How smart factories and connected assets in the emerging Industrial IoT era along with the automation of machine learning and advancement of artificial intelligence can dramatically change the manufacturing process and put an end to the dreaded product recalls in the future. In recent news, Samsung Electronics Co. has initiated a global…

Virtual Immersion And The Extension/Expansion Of Virtual Reality

Virtual Immersion And The Extension/Expansion Of Virtual Reality

Virtual Immersion And Virtual Reality This is a term I created (Virtual Immersion). Ah…the sweet smell of Virtual Immersion Success! Virtual Immersion© (VI) an extension/expansion of Virtual Reality to include the senses beyond visual and auditory. Years ago there was a television commercial for a bathing product called Calgon. The tagline of the commercial was Calgon…