Personal Information Protection Law (PIPL)

Overview

The Personal Information Protection Law (PIPL) outlines rules relating to the protection of personal data and privacy of citizens of the People's Republic of China. PIPL seeks to regulate the processing of personal information and to facilitate "reasonable use" of personal information. PIPL, the Cybersecurity Law, and the Data Security Law work in concert to govern data protection, cybersecurity, and data security in China. 

 

Effective Date: November 1, 2021 

Key Terms
  • Personal Information - various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously
  • Anonymized Information - personal information processed so that it is impossible to identify certain natural persons and that such identification cannot be recovered 
  • Sensitive Personal Information - personal information whose disclosure or illegal use can infringe the dignity of data subjects or damage their safety or property interest. Examples include: 
    • biometrics
    • religious beliefs
    • specific identities
    • medical health
    • financial accounts
    • whereabouts
    • personal information of minors under the age of 14
Regulation Requirements

Personal Information Processing

Personal information processing is only allowed: 

  • where consent is obtained
  • where it is necessary to fulfill the requirements of other laws or statutes
  • where it is necessary to respond to public health emergencies or to protect the life, health, and property safety of individuals
  • under circumstances prescribed by laws and administrative regulations 

Personal information processing consent must: 

  • be voluntarily and explicitly given on a fully informed basis
  • be written when required by certain law or administrative regulations
  • can be withdrawn without affecting the validity of personal information processing activities that have been conducted
  • shall be re-obtained if the personal information processors change the original purposes or methods of processing 

Sensitive Personal Information Processing

Sensitive personal information processing is only allowed: 

  • for specific purposes and only where sufficiently necessary to do so
  • when separate consent from individuals to collect and process sensitive personal information is obtained 
  • when the individual is notified of the necessity of processing their sensitive personal information and impact it may have

Export Control Requirements for Personal Information

To provide personal information outside of the territory of the People's Republic of China, an organization must: 

  • pass a security assessment established by the Cybersecurity Administration of China (CAC)
  • obtain a personal information protection certification from professional organizations in accordance with the provisions of the CAC
  • enter into a contract with the data recipient either
    • in accordance with a standard contract prescribed by the CAC, or
    • fulfilling conditions stipulated in other laws or regulations

Prior to transferring data outside of China, the exporting organization must notify the data subject of: 

  • identity of the foreign recipient
  • a method of contacting the recipient
  • the purposes and methods of the recipient's processing
  • the types of personal information involved
  • how the individual data subject can exercise their rights against the recipient 
  • obtain the individual data subject's consent to the transfer 
Pitt Practices

The University of Pittsburgh has formed a working group to further develop Pitt's PIPL compliance program. The working group is comprised of members representing the Office of University Counsel, the Office of Compliance, Investigations, and Ethics, Pitt Information Technology, and Pitt Research.