Pay the PIPL - What You Need to Know About China’s New Data Privacy Law
Disclaimer: The following piece is an editorial, and should not be taken as legal advice.
On November 1, 2021, China’s Personal Information Protection Law (PIPL) went into effect, expanding GDPR-like protections on the collection and use of personal data of users in China. We review some of the law’s provisions and unique features from GDPR, as well as important context for university compliance teams. We believe that the new law is worth following, as some key implementation details have not yet been published, but higher education institutions that comply with GDPR and FERPA don’t have much cause for regulatory concern with PIPL.
Provisions
PIPL mimics the EU’s GDPR in many of its stipulations, including that companies employ a data protection officer, and that consumers have more control over how companies manage their data. Companies will now need to obtain individual consent to collect sensitive information such as location and financial accounts, and users will be empowered to switch off targeted advertising. And extra scrutiny applies to data processors that handle highly sensitive data like biometric information.
Other aspects, however, are more novel, including the requirement that large scale data processors store China-originated personal data within China and pass a security review. Organizations must undergo a security review if they process the data of more than 1,000,000 people in China, or 100,000 if the data is “important” or “personal.” The requirement for the localization of data hasn’t been published or announced yet, but the thresholds of 1,000,000 users or 100,000 users with personal data seem commonplace in other Chinese regulations such as the PIS Specification.
Analysis for Universities and Education Institutions
The good news about PIPL is that most institutions have studied global privacy regulations already to comply with GDPR (along with longstanding domestic laws like FERPA), and compliance with FERPA and GDPR would bring an institution into compliance with most of the law’s provisions. It’s also true that overseas higher education is likely (very) far down the list of possible entities of interest by enforcement agencies, since they are generally non-profit, do not store biometric information, don’t monetize personal information or big data, and involve comparatively low amounts of personal data.
Schools typically don’t handle data at the volumes that trigger additional PIPL scrutiny; even the most ambitious international admissions officers don’t store the birthdays and mailing addresses of 100,000 prospective students from one country alone.
Engaging with prospective students on Chinese social media platforms like WeChat, Weibo, and Douyin isn’t relevant for PIPL, given that the platforms themselves own the responsibility for their user data. It is for this reason that we encourage institutions to make use of digital platforms such as to connect with Chinese students. These social media platforms are not assets owned by the schools themselves, even the most successful digital marketing campaigns would not put the school in jeopardy of exceeding regulatory thresholds. And if a social media platform itself commits a PIPL violation, the platform would assume responsibilities, and not the institution using it. Indeed, Chinese tech companies have already taken notice of the law’s requirements and have begun to implement policies to ensure compliance; Tencent, which operates WeChat, one of China’s largest social networks, announced before the law even took effect that they were already amassing a team of legal professionals to advise them on improvements to user data and privacy practices. Similarly, partnering with organizations like Sunrise, who have local Chinese entities, is an effective and low-risk means of marketing your brand within China.
If a university maintains an office in China through which it recruits Chinese students, or if it hosts lead generation forms in China, then this might be considered a cross-border data transfer, since the data is leaving China. If this describes your institution, then you’ll want to add a checkbox in your interest forms giving the user the ability to consent to the cross-border transfer of their data. However, if you direct Chinese students to registration or CRM forms that are hosted in your home country, even if you’re directing them from a locally hosted Chinese website, then this wouldn’t be considered a cross-border transfer.
We recommend that your compliance team stay abreast of updates on the thresholds needed for a foreign data processor to locally store their data. Similar to the GDPR Article 27, the PIPL says that overseas data processors should nominate a local compliance agent or representative, but there is no clear guidance on how an offshore personal information processor can appoint a PRC-based representative or what exceptions would be made for small scale operations. Even in the very privacy-conscious EU, enforcement of Article 27 has been quite lax, and it seems implausible that similar waivers would not be made in China for small scale operations.
In short, the PIPL is a significant step forward for the privacy rights of people in China and an important check on abuses of personal information by big tech and unscrupulous actors. The typical admissions and recruitment activities of universities don’t raise any PIPL red flags. Universities should continue to uphold good digital ethics, meet the needs of GDPR and FERPA, and monitor news about PIPL as authorities offer more guidance.