China’s Personal Information Protection Law (PIPL)

China’s PIPL applies to the processing of personal information of individuals living in mainland China on or after November 1, 2021 

UCI Requirements

UC will be required to comply with PIPL if conducting any activity and:

  • uses or processes personal information of individuals located in mainland China

UC will be required to comply with PILP if processing activities and:

  • uses personal information of individuals when providing goods or services to people in China
  • analyzes the activities of people in China
  • engages in other activities subject to applicable laws and regulations (e.g., study abroad program, recruiting faculty from China, second opinion clinical services)

The PIPL is similar but more stringent than the European Union’s General Data Protection Regulation (the “GDPR”). PIPL does not allow for processing for “legitimate interests” of the entity.

As such, UC Legal guidance states that “UC should either process personal information of individuals located in China pursuant to their consent OR as required for a contract with that individual.”

PIPL Summary

Personal Information Includes

Individual Rights Under PIPL

One of the Following Must be Met

Sensitive Personal Information Must Satisfy All Conditions

  • Name
  • Date of Birth
  • Address
  • Telephone Number
  • Be informed about the processing of personal information (notice)
  • Obtain access to and a copy of any personal information processed by handlers
  • Able to withdrawal consent to the processing of personal information where consent was previously provided
  • Request correction of any personal information (rectification)
  • Request restriction of certain uses of personal information
  • Request handlers transfer personal information to others (data portability)
  • Request deletion of personal information
  • Consent of individual
  • Processing is necessary for a contract to which the individual is a party
  • Processing is necessary for the handler to perform duties or obligations as required by law
  • Processing is necessary to respond to public health emergencies or to protect the life, health or safety of individuals
  • Information has been disclosed by the data subject themselves
  • Processing is necessary to carry out activities for news or in the public interest
  • Processing is necessary to achieve a specific purpose
  • Strict protection measures are in place
  • Data subjects are notified about the need to process their sensitive personal information and the impact such processing may have on their rights and interests
  • Data subjects provide their specific separate consent to the processing of their sensitive personal information for the purpose disclosed

Additional Points

  • PIPL requires collection of personal information be minimal.
  • PIPL includes rights afforded to “automated decision making” – this includes computer programs to automatically analyze or access personal behaviors, habits, interests, hobbies, financial, health, credit or other statuses.
  • PIPL refers to “handling” instead of “processing” as used in GDPR to describe uses of personal information.  Definition similar: “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information.”
  • PIPL refers to “handlers” instead of “controllers” as used in GDPR.  Definition similar.  These are the individuals who independently determine the purposes and means of processing information. UC a handler when using personal information for own research, education and institutional advancement purposes.
  • Handlers outside of China must designate a person in China responsible for “protecting personal information.” This is the “overseas handler.” Overseas handler reports to the Chinese government.
  • Cross border data transfer of personal information is regulated by PIPL and must meet specific conditions. Per UC Legal, UC must ensure that it’s contracts with research institutions and others providing personal information of individuals in China that they have also provided notice to and obtained consent of each data subject.
  • Enforcement and financial penalties for data protection violations apply
  • Special thank you to UC Principal Counsel Hillary Kalay & Assistant Counsel Hannah Noll-Wilensky