- Overview
-
The Personal Information Protection Law (PIPL) outlines rules relating to the protection of personal data and privacy of citizens of the People's Republic of China. PIPL seeks to regulate the processing of personal information and to facilitate "reasonable use" of personal information. PIPL, the Cybersecurity Law, and the Data Security Law work in concert to govern data protection, cybersecurity, and data security in China.
Effective Date: November 1, 2021
- Key Terms
-
- Personal Information - various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding information processed anonymously
- Anonymized Information - personal information processed so that it is impossible to identify certain natural persons and that such identification cannot be recovered
- Sensitive Personal Information - personal information whose disclosure or illegal use can infringe the dignity of data subjects or damage their safety or property interest. Examples include:
- biometrics
- religious beliefs
- specific identities
- medical health
- financial accounts
- whereabouts
- personal information of minors under the age of 14
- Regulation Requirements
-
Personal Information Processing
Personal information processing is only allowed:
- where consent is obtained
- where it is necessary to fulfill the requirements of other laws or statutes
- where it is necessary to respond to public health emergencies or to protect the life, health, and property safety of individuals
- under circumstances prescribed by laws and administrative regulations
Personal information processing consent must:
- be voluntarily and explicitly given on a fully informed basis
- be written when required by certain law or administrative regulations
- can be withdrawn without affecting the validity of personal information processing activities that have been conducted
- shall be re-obtained if the personal information processors change the original purposes or methods of processing
Sensitive Personal Information Processing
Sensitive personal information processing is only allowed:
- for specific purposes and only where sufficiently necessary to do so
- when separate consent from individuals to collect and process sensitive personal information is obtained
- when the individual is notified of the necessity of processing their sensitive personal information and impact it may have
Export Control Requirements for Personal Information
To provide personal information outside of the territory of the People's Republic of China, an organization must:
- pass a security assessment established by the Cybersecurity Administration of China (CAC)
- obtain a personal information protection certification from professional organizations in accordance with the provisions of the CAC
- enter into a contract with the data recipient either
- in accordance with a standard contract prescribed by the CAC, or
- fulfilling conditions stipulated in other laws or regulations
Prior to transferring data outside of China, the exporting organization must notify the data subject of:
- identity of the foreign recipient
- a method of contacting the recipient
- the purposes and methods of the recipient's processing
- the types of personal information involved
- how the individual data subject can exercise their rights against the recipient
- obtain the individual data subject's consent to the transfer
- Pitt Practices
-
The University of Pittsburgh has formed a working group to further develop Pitt's PIPL compliance program. The working group is comprised of members representing the Office of University Counsel, the Office of Compliance, Investigations, and Ethics, Pitt Information Technology, and Pitt Research.