PII has been enforced in Europe, can China be far behind?


What is personally identifiable information? PII?

Personally identifiable information (ie PII) refers to any information related to an identified or identifiable natural person ("data subject"), including personal data as defined by applicable local laws. An identifiable natural person refers to a person who can directly or indirectly identify his identity, especially by identifying his or her identity through identification features such as name, ID number, address data, and online identification features, or referring to the physical, psychological, or physical One or more factors peculiar to genetic, spiritual, economic, cultural or social identity to identify its identity.

What are the European PII implementation requirements?

  • Unauthorized private information of users shall not be collected and stored privately
  • When a user has a request for deletion of personal privacy, the service company must implement one-click deletion in the entire system, and shall not keep any backup
  • The private information collected by the user authorized by company X in country A shall not be transferred to the database of company X in country B
  • The internal system interaction of the enterprise shall not transmit the user's private information in clear text, and the user's private information must also be in ciphertext when interacting with the internal system.

Seeing the implementation of the PII standard in Europe, China is still recommending it and not implementing it. Think about how many companies will experience super-large restructuring if China becomes mandatory in the future....

If we want to avoid such a super big refactoring, we need to plan ahead now. What preparations should we make?

  • Let user privacy data be stored in one system, and query through the unified api of this system, so that when users ask to delete personal privacy, we can do one-click Delete
  • The internal system interaction of private information must also be in cipher text. The decryption key can be uniformly issued through the PII system at a fixed cycle. When the internal system needs to understand the plaintext of private information, use this key to decrypt, but do not save it to yourself. database
  • Generally, large companies are distributed in various countries. Hong Kong and Too Late Although it is said that it is China, their data is cross-regional for the PII rules, so companies in the mainland cannot directly transmit private data to Hong Kong and Too late companies directly landed in the database there. If the company there needs to share this private data, the operation is the same as the internal system interaction.
  • In short, the key word is that if the user authorizes you to obtain private information in Shanghai, then this data can only be landed on the database of Shanghai, and absolutely cannot be landed on the database of other countries

It seems that Alibaba’s Taobao and Tmall have already started to take precautions very early, and many operapis have clearly marked that they meet the PII standard.