Schwartz Hannum PC
Bookmark and Share
 
 

Legal Updates

China's Personal Information Protection Law: What Independent Schools Should Know

March 2024

The Personal Information Protection Law (the “PIPL”) is a data protection law adopted by the People’s Republic of China (the “PRC”) in 2021. The PIPL includes provisions roughly comparable to the European Union’s General Data Protection Regulation (“GDPR”). (We previously prepared a summary of the GDPR’s application to independent schools.)

The PIPL purports to impose data protection requirements on anyone who processes “Personal Information” or “Sensitive Personal Information” of PRC residents. Processors of such information must establish a lawful purpose for the data processing, notify individuals of their rights under the PIPL, and, in some cases, obtain individual consent for data processing.

While the PIPL most directly impacts organizations with a physical presence in the PRC, it is not limited to such entities, and independent schools and other organizations with connections to PRC residents should also be aware of the requirements and potential implications of the PIPL.

Summary Of The PIPL

Definitions: PI and SPI.

The PIPL establishes two general categories of covered personal data:

• “Personal Information” (“PI”), which includes any information that could be used to identify “natural persons” residing in the PRC. This potentially covers a wide range of information, including names, addresses, birthdates, credit card numbers, and other financial access numbers.

• “Sensitive Personal Information” (“SPI”), defined as PI that, if disclosed or illegally used, may cause harm to the data subjects involved. Of particular note for schools, PI of minors under the age of 14 is automatically considered SPI. All SPI is subject to greater protections and requires more stringent compliance measures by data processors.

For purposes of the remainder of this article, “PI” refers to both of these types of personal information.

The PIPL’s Reach.

The PIPL protects the PI of anyone residing in the PRC, regardless of citizenship or national origin. Moreover, by its terms, the law covers data processors located outside the PRC.

Thus, for example, the PIPL applies to Chinese citizens living in the PRC, as well as to American citizens residing in China. By contrast, Chinese citizens residing outside the PRC are not covered. This creates potential ambiguities – for example, as to students who attend school in the United States but have their permanent residence in the PRC. Unfortunately, the PRC has not provided any clarification on such residency issues.

Policy And Notice Requirements.

The PIPL requires data processors to adopt and follow detailed policies and procedures for processing and protecting PI. In addition, the PIPL gives various rights to individuals whose PI is processed, including the right to access and correct their data and to restrict access to their data. The PIPL requires that these policies and rights be prominently displayed by data processors (e.g., on their websites).

Establishing A Lawful Purpose For Data Processing.

Organizations processing PI for PRC residents must establish, in advance, a lawful basis for processing PI. In most cases, data may be legally processed if individual consent is granted. However, the PIPL also contains several other lawful bases for processing, without the need for individual consent.

Notably, the PIPL does not include a broad, catch-all legal basis for data processing such as the GDPR’s “Legitimate Interest” standard.

Considerations For Schools And Other Organizations

There are a number of steps we suggest that independent schools and other organizations take in response to the PIPL:

Audit data collection processes. Organizations should audit their current practices to identify any personal data being collected from individuals residing in the PRC. The review should identify what types of information are being collected, how the information is collected, and how it is stored and used.

Consider the likely effects of the PIPL upon your organization. As noted above, the PIPL does not require that an organization have an office or other presence in the PRC to fall within its scope. As a practical matter, however, the Chinese government will be more readily able to enforce PIPL compliance against organizations that have such connections.

For instance, a school or employer that recruits students or employees from the PRC could find itself barred from future recruitment activities if the Chinese government deems it in non-compliance with the PIPL. (The PIPL even includes a “blacklist,” which could prevent organizations from operating in Chinese cyberspace.) Similarly, an organization with a bank account or other financial assets within the PRC could face a freezing or even a seizure of those assets.

By contrast, an organization that obtains PI from PRC residents on only a minimal basis might conclude that the costs of bringing its operations into compliance with the PIPL outweigh any potential risks of being deemed in non-compliance.

Review and update data privacy policies. Schools and other organizations affected by the PIPL should carefully review their existing data privacy policies and, with the assistance of legal counsel, determine what language needs to be added to comply with the PIPL. An organization’s privacy policy, including the required PIPL language, should be prominently displayed on the entity’s website.

Establish a system for obtaining consent. Compliance with the PIPL also requires, in most cases, individual consent. The PIPL makes clear that such consent must be informed, voluntary, and explicit. As covered schools and other organizations will collect most PI from PRC residents through their websites, the best method for securing consent may be a check box or other virtual format that gives the required information and requires an affirmative act signifying consent.

Stay abreast of further developments. The PIPL leaves holes on some important issues. For instance, it is not clear whether some of the requirements of the PIPL apply to smaller entities with a low volume of data processing. Schools and other organizations should be alert for further statements by the Chinese government on such issues.

* * *

If you have questions about the PIPL and its potential application to your school or organization, please feel free to contact one of our attorneys.