Personal Information Protection Law of the People’s Republic of China

October 25, 2021

On November 1, 2021, China’s Personal Information Protection Law (PIPL) will go into effect. Stanford University’s DigiChina website has published a translation, here. The PIPL is similar to the General Data Protection Regulation (GDPR) in many ways, however there are some important distinctions (IAPP gives a good overview, here).

As is the case with identified or identifiable data pertaining to individuals in the European Economic Area or United Kingdom (“Personal Data” under GDPR), Personal Information under PIPL is considered Sensitive research data, and must be treated accordingly per the Research Data Security Policy and Enterprise Information Security Policy.

Some basic definitions:

Personal Information: all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, excluding anonymized information. (Includes coded and pseudonymized data.)

Processing Entity (“Processor” or “Handler,” depending on translation): any organization or individual that independently determines the purpose and method of processing in Personal Information processing activities.

Processing: includes the collection, storage, use, processing, transmission, provision, publication, and erasure of Personal Information.

Extraterritorial Applicability: PIPL applies to data processing activities conducted outside of China involving Personal Information of individuals located in China -

  1. where the processing is for the purposes of providing products or services to individuals located in China,
  2. where the processing is for analyzing and evaluating the behavior of individuals located in China, or
  3. under circumstances prescribed by laws and administrative regulations.

(Note: it’s possible that PIPL could apply to a project via the governing contract, such as a Data Use Agreement or sponsored research agreement.)