China’s Personal Information Protection Law (PIPL)

China’s PIPL applies to the processing of personal information of individuals living in mainland China on or after November 1, 2021. 

Per Article 4 of PIPL: "Personal information" refers to various information related to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymized information.

Personal information processing includes personal information collection, storage, use, processing, transmission, provision, disclosure and deletion, among others.

When UCI Must Comply with PIPL

UCI will be required to comply with PIPL if conducting any activity and:

  • uses or processes personal information of individuals located in mainland China

UCI will be required to comply with PIPL if processing activities and:

  • uses personal information of individuals when providing goods or services to people in China
  • analyzes the activities of people in China
  • engages in other activities subject to applicable laws and regulations (e.g., study abroad program, recruiting faculty from China, second opinion clinical services)

Please consult with the UCI Privacy Office to determine whether the human subjects research must comply with PIPL. 

PIPIL Impact to IRB Submission

UC Legal and UCI Privacy guidance states that “UC should either process personal information of individuals located in China pursuant to their written consent OR as required for a contract with that individual.”

If privacy confirms that PIPL applies, consent must be explicit and documented (and may be revoked by the subject) but signed consent is not required. Revise the main consent to include the requisite PIPL consent language and upload a copy of the consent with the IRB submission.

  • The template language can be found on the IRB Forms webpage: Consent Language: China’s Personal Information Protection Law (PIPL).
  • If the study has multiple study populations (for example, US & China) it is recommended that a separate consent form be developed with the PIPL language for the population in China, as this language would not apply to the population outside of China.
  • Any requests for revised PIPL consent language must be approved by the UC Campus Privacy Office and/or UCI Counsel (i.e. legal). Evidence of the requisite approval must be uploaded with the IRB submission.

PIPL Summary

Personal Information Includes (not limited to)

  • Contact information (e.g., name, address, telephone number, e-mail address, internet protocol address and/or information that could be linked to an individual, etc.)
  • Health information
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Sexual orientation or beliefs
  • Genetic data

Individual Rights Under PIPL

  • Be informed about the processing of personal information (notice)
  • Obtain access to and a copy of any personal information processed by handlers
  • Able to withdrawal consent to the processing of personal information where consent was previously provided
  • Request correction of any personal information (rectification)
  • Request restriction of certain uses of personal information
  • Request handlers transfer personal information to others (data portability)
  • Request deletion of personal information

One of the Following Must be Met

  • Written consent of individual (must include requisite PIPL consent language)
  • Processing is necessary for a contract to which the individual is a party
  • Processing is necessary for the handler to perform duties or obligations as required by law
  • Processing is necessary to respond to public health emergencies or to protect the life, health or safety of individuals
  • Information has been disclosed by the data subject themselves
  • Processing is necessary to carry out activities for news or in the public interest

Sensitive Personal Information Must Satisfy All Conditions

  • Processing is necessary to achieve a specific purpose
  • Strict protection measures are in place
  • Data subjects are notified about the need to process their sensitive personal information and the impact such processing may have on their rights and interests
  • Data subjects provide their specific separate consent to the processing of their sensitive personal information for the purpose disclosed

Questions

The Regents of the University of California, on behalf of UC Irvine, is responsible for the use of personal information for research. Contact the following entities for:

  • Questions about the requisite PIPL consent language
  • Complaints about the use of personal information
  • Research participant requests relating to the rights listed above

Contact:

Additional Points

  • PIPL requires collection of personal information be minimal.
  • PIPL includes rights afforded to “automated decision making” – this includes computer programs to automatically analyze or access personal behaviors, habits, interests, hobbies, financial, health, credit or other statuses.
  • PIPL refers to “handling” instead of “processing” as used in GDPR to describe uses of personal information.  Definition similar: “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information.”
  • PIPL refers to “handlers” instead of “controllers” as used in GDPR.  Definition similar.  These are the individuals who independently determine the purposes and means of processing information. UC a handler when using personal information for own research, education and institutional advancement purposes.
  • Handlers outside of China must designate a person in China responsible for “protecting personal information.” This is the “overseas handler.” Overseas handler reports to the Chinese government.
  • Cross border data transfer of personal information is regulated by PIPL and must meet specific conditions. Per UC Legal, UC must ensure that it’s contracts with research institutions and others providing personal information of individuals in China that they have also provided notice to and obtained consent of each data subject.
  • Enforcement and financial penalties for data protection violations of the PIPL will apply.
  • Special thank you to UC Principal Counsel Hillary Kalay & Assistant Counsel Hannah Noll-Wilensky.