China and the PIPL: New Protections and Rights for Personal Information

On November 1, 2021, China joined the growing number of foreign countries that have adopted new, sweeping data protection legislation.  Sharing many of the same goals and objectives of the EU’s General Data Protection Regulation (GDPR), China’s Personal Information Protection Law (PIPL) seeks to enhance the rights of individuals to understand and control how their personal information is obtained, used, and maintained by third parties.  Similar to the GDPR, the PIPL has an extraterritorial application, meaning that it applies outside of China to entities that process personal information of people within mainland China. The law does not apply to individuals located in Hong Kong, Taiwan, or Macau. 

The Chinese government has yet to release any specific guidance or regulations for PIPL compliance.  For now, here is a summary of what you need to know about this new law and how the PIPL may apply to MIT:

1. What is Considered Personal Information Under the PIPL: The PIPL defines “personal information” as “all kinds of information related to identified or identifiable natural persons recorded by electronic or other form, excluding anonymized information.”  Similar to the GDPR, the law defines a category of “sensitive personal information” including “any information that may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.”  The key difference here between the GDPR and the PIPL is that financial information is considered to be a form of personal information under the PIPL. It is not included as a category of personal information under the GDPR.
    
2. What Sort of Activities Are Subject to the PIPL: An entity may be subject to the PIPL if it processes personal information of Chinese residents for the purposes of providing products or services to individuals in China or for the purposes of “analyzing” or “assessing” the behavior of individuals in China.  For MIT and other institutions of higher education, the PIPL may be triggered when an institution obtains applications for admission from Chinese citizens while the individual is located in China, conducts recruitment efforts in China, offers online courses or programs to individuals in China, performs human subjects research using data from Chinese residents (that is not completely anonymized) or when an institution collaborates with Chinese academic institutions or organization.  These examples are similar to the scenarios for which the GDPR applies.
    
3. What Steps Should You Take if You are Collecting Personal Information Subject to the PIPL:  If you are engaged in any activity involving the collection and/or use of personal information from individuals in China, you must satisfy the following minimum requirements:
    
   1. Obtain Consent.  While there are many lawful bases for the processing of personal information under the GDPR, the PIPL is largely a consent-driven process.  Prior to obtaining any personal information, you must obtain clear and unambiguous consent directly from the individual, unless an exception applies.  Exception to the consent requirement include: obtaining personal information to perform a contract; performance of legal duties or obligations; responding to public health emergencies; news reporting; or processing personal information that has been made public by data subjects.  More information and templates for your use will be made available soon.  If you are currently engaged in the collection of personal information potentially subject to the PIPL, please contact Jason Baletsa (jbaletsa@mit.edu or 617.253.4466) for additional guidance.
       
   2. Privacy Statement.  At the time of the collection of the personal information from individuals located in China, you must provide a privacy statement identifying (i) what personal information is being collected; (ii) how the personal information is being used and by whom (including third parties); (iii) how long the personal information will be retained; and (iv) the process by which individuals can object or withdraw consent to the processing and collection of their personal information.  A sample privacy statement is available on the Risk Management and Compliance Services website. If you need assistance in completing the statement, please contact Jason Baletsa (jbaletsa@mit.edu or 617.253.4466).
       
   3. Vendor Agreements.  If you are collecting personal information from residents in China through a third party, the agreement should be reviewed and possibly amended to clarify (i) processor v. controller status; (ii) legal responsibilities for each party; and (iii) breach notification timeline and process, including indemnification and reimbursement for data breaches, required reporting, and associated fines or penalties.  OGC will provide sample language for updating vendor agreements in order to ensure PIPL compliance.