China’s Personal Information Protection Law
Background
China’s Personal Information Protection Law (PIPL) is a comprehensive privacy law similar in many respects to the EU GDPR but with its own unique requirements. PIPL was enacted on August 20, 2021, and became effective on November 1, 2021.
PIPL is intended to protect the personal information of persons in Mainland China, which refers to the continental landmass under the direct control of the People’s Republic of China (PRC), including the islands of Hainan Province and five major autonomous regions (i.e., Tibet, Inner Mongolia, Xinjiang, Ningxia and Guangxi).
PIPL does not apply to the Hong Kong Special Autonomous Region (SAR), the Macao SAR, and Taiwan.
PIPL defines personal information broadly as information related to an identified or identifiable natural person recorded electronically or by other means. Personal information does not include anonymized information.
The U of I System Supplemental Privacy Notice – PIPL explains for persons in Mainland China what types of personal information the U of I System collects, how the personal information is used, with whom the personal information is shared, and how persons in Mainland China can exercise their PIPL rights.
Why does the University of Illinois System care about PIPL?
The U of I System takes privacy seriously and is committed to protecting the privacy of students and employees consistent with its obligations under the law. In that regard, PIPL applies not only to entities physically located in Mainland China that handle people’s personal information, but also to entities located outside Mainland China when they engage in certain activities involving the personal information of persons physically located in Mainland China. Violating PIPL when it applies may result in institutional liability, personal liability, and even criminal liability.
PIPL applies to personal information handlers (someone who determines the purposes and means of how personal information is handled) and entrusted parties (someone who handles personal information at the direction of a personal information handler) in three circumstances:
- When they are located in Mainland China and are handling people’s personal information; or,
- When they are located outside Mainland China but are handling the personal information of people physically located in Mainland China and the purpose of the handling is to:
- Provide products or services to people physically located in Mainland China; or,
- Analyze or evaluate the behaviors of people physically located in Mainland China.
With the exception of the University of Illinois Urbana/Champaign’s Shanghai Office and the Zhejiang University/Grainger School of Engineering Joint Degree Program, most University of Illinois System activities do not take place in Mainland China (although individual researchers might collect research data while in Mainland China). Accordingly, the types of university activities that potentially trigger PIPL requirements are those involving providing products or services to people physically located in Mainland China or where the university is analyzing or evaluating the behaviors of people physically located in Mainland China. Examples of such activities could include undergraduate and graduate admissions programs, distance learning courses, study abroad, international programs (especially where participating students are from Mainland China), collecting data using cookies on university websites, and research involving persons physically located in Mainland China.
Questions?
If you are a U of I employee and you have a question about PIPL, please contact the University Ethics and Compliance Office by email at GDPRrequest@uillinois.edu or by telephone at 866-758-2146.
If you are a person in Mainland China and would like to learn how to submit a PIPL request to the U of I System, please see the U of I System Supplemental Privacy Notice – PIPL.