China’s Personal Information
Protection Law (PIPL)
China has a new Personal Information Protection Law: the PIPL. The PIPL applies to the processing of personal information of individuals living in mainland Chinaon or after November 1, 2021
UC is required to comply with PIPL if conducting any activity in mainland China and:
uses or processes personal information of individuals located in mainland China
UC is required to comply with PIPL if processing activities outside of mainland China and:
uses personal information of individuals when providing goods or services to people in China
analyzes the activities of people in China
engages in other activities subject to applicable laws and regulations (e.g., study abroad program, recruiting faculty from China, second opinion clinical services)
UC must ensure that it’s contracts with research institutions and others providing personal information of individuals in China have provided notice to and obtained consent* of each data subject.
Researchers should work with their local Privacy Officer for additional guidance; HRP will coordinate to provide any consent text relating to PIPL as necessary per the protocol.
The PIPL is similar but more stringent than the European Union’s General Data Protection Regulation (the “GDPR”). One example: the PIPL does not allow for processing for “legitimate interests” of the entity. Accordingly, UC Legal guidance states that“UC should either process personal information of individuals located in China pursuant to their consent OR as required for a contract with that individual.”
PIPL refers to “handling” instead of “processing” as used in GDPR to describe uses of personal information.In the PIPL, handling means “the collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information.”
PIPL refers to “handlers” instead of “controllers” as used in GDPR.Handlers outside of China must designate a person in China responsible for “protecting personal information.” This is the “overseas handler.” Overseas handler reports to the Chinese government.
PIPL includes rights afforded to “automated decision making.” This includes computer programs to automatically analyze or access personal behaviors, habits, interests, hobbies, financial, health, credit, or other statuses.
PIPL regulates cross border data transfer of personal information. When transferring personal or sensitive data out of Mainland China, security systems must be assessed and approved by the Cyberspace Administration of China.
Enforcement and financial penalties for data protection violations apply.
Special thank you to UC Principal Counsel Hillary Kalay & Assistant Counsel Hannah Noll-Wilensky
At a Glance: The PIPL:
Date of birth
One of the Following
Must be Met
Consent of individual (*UC Privacy guidance states that written consent is necessary. There are some exceptions- see Ch. 2 Section 1, Article 13.)
Processing necessary for a contract to which the individual is a party
Processing is necessary for the handler to perform duties or obligations as required by law
Processing is necessary to respond to public health emergencies or to protect the life, health or safety of individuals
Information has been disclosed by the data subject themselves
Processing is necessary to carry out activities for news or in the public interest
Under the PIPL
Be informed about the processing of personal information (notice)
Obtain access to and a copy of any personal information processed by handlers
Able to withdraw consent to the processing of personal information, where consent was previously provided
Request correction of any personal information (rectification)
Request restriction of certain uses of personal information
Request handlers transfer personal information to others (data portability)
Request deletion of personal information
Sensitive Personal Information Must Satisfy All Conditions
Processing is necessary to achieve a specific purpose
Strict protection measures are in place
Data subjects are notified about the need to process their sensitive personal information and the impact such processing may have on their rights and interests
Data subject provide their specific, separate consent to the processing of their sensitive personal information for the purpose disclosed