China’s Personal Information Protection Law (PIPL)

View this email in your browser
IRB Newsletter Heading

China’s Personal Information
Protection Law (PIPL)

Map of ChinaChina has a new Personal Information Protection Law:
the PIPLThe PIPL applies to the processing of personal information of individuals living in mainland China on or after November 1, 2021

  • UC is required to comply with PIPL if conducting any activity in mainland China and:
    • uses or processes personal information of individuals located in mainland China
  • UC is required to comply with PIPL if processing activities outside of mainland China and:
    • uses personal information of individuals when providing goods or services to people in China
    • analyzes the activities of people in China
    • engages in other activities subject to applicable laws and regulations (e.g., study abroad program, recruiting faculty from China, second opinion clinical services)
  • UC must ensure that it’s contracts with research institutions and others providing personal information of individuals in China have provided notice to and obtained consent* of each data subject.
  • Researchers should work with their local Privacy Officer for additional guidance; HRP will coordinate to provide any consent text relating to PIPL as necessary per the protocol.
  • The PIPL is similar but more stringent than the European Union’s General Data Protection Regulation (the “GDPR”). One example:  the PIPL does not allow for processing for “legitimate interests” of the entity.  Accordingly, UC Legal guidance states that “UC should either process personal information of individuals located in China pursuant to their consent OR as required for a contract with that individual.”
  • PIPL refers to “handling” instead of “processing” as used in GDPR to describe uses of personal information.In the PIPL, handling means “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information.”
  • PIPL refers to “handlers” instead of “controllers” as used in GDPR.Handlers outside of China must designate a person in China responsible for “protecting personal information.” This is the “overseas handler.” Overseas handler reports to the Chinese government.
  • PIPL includes rights afforded to “automated decision making.”  This includes computer programs to automatically analyze or access personal behaviors, habits, interests, hobbies, financial, health, credit, or other statuses.
  • PIPL regulates cross border data transfer of personal information. When transferring personal or sensitive data out of Mainland China, security systems must be assessed and approved by the Cyberspace Administration of China.
  • Enforcement and financial penalties for data protection violations apply.

Special thank you to UC Principal Counsel Hillary Kalay & Assistant Counsel Hannah Noll-Wilensky

At a Glance: The PIPL:

Personal Information
Includes
  • Name
  • Date of birth
  • Address
  • Telephone number
One of the Following
Must be Met
  • Consent of individual (*UC Privacy guidance states that written consent is necessary. There are some exceptions- see Ch. 2 Section 1, Article 13.)
  • Processing necessary for a contract to which the individual is a party
  • Processing is necessary for the handler to perform duties or obligations as required by law
  • Processing is necessary to respond to public health emergencies or to protect the life, health or safety of individuals
  • Information has been disclosed by the data subject themselves
  • Processing is necessary to carry out activities for news or in the public interest
Individual Rights
Under the PIPL
  • Be informed about the processing of personal information (notice)
  • Obtain access to and a copy of any personal information processed by handlers
  • Able to withdraw consent to the processing of personal information, where consent was previously provided
  • Request correction of any personal information (rectification)
  • Request restriction of certain uses of personal information
  • Request handlers transfer personal information to others (data portability)
  • Request deletion of personal information
Sensitive Personal Information Must Satisfy All Conditions
  • Processing is necessary to achieve a specific purpose
  • Strict protection measures are in place
  • Data subjects are notified about the need to process their sensitive personal information and the impact such processing may have on their rights and interests
  • Data subject provide their specific, separate consent to the processing of their sensitive personal information for the purpose disclosed
You can unsubscribe from this list by emailing or-irb-hrp@department-lists.uci.edu
Copyright © 2022 UCI Office of Research, All rights reserved.
You signed up to receive email on the UCI IRB-HRP listserv (or-irb-hrp@department-lists.uci.edu).

Our mailing address is:

UCI Office of Research

160 Aldrich Hall

Irvine, CA 92697-0001

Add us to your address book

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.