China’s Drafted Algorithmic Recommendation Technology Provisions
China is well on its way to reaching 1 billion internet users, meaning that the country houses around 20% of all people on the internet to date....
On August 20th, the National People’s Congress of China enacted the Personal Information Protection Law (PIPL), which will become effective on November 1st 2021. The provisions of the PIPL uplift the rights and freedoms of data subjects including your school’s staff, students, and parents. The PIPL does not replace the existing privacy laws in China, but it acts as the primary, nation-wide law regulating the processing of personal information. It is important to understand what the PIPL means for international schools that reside in China and what they can do to achieve and maintain compliance.
The PIPL somewhat reflects the attributes of the GDPR in the sense of protecting the rights and freedoms of natural persons effectively. In correlating their data protection regulations with the GDPR, China is setting a new standard for businesses that process personal data. For instance, schools are expected, among other things, to obtain informed, voluntary and explicit consent from data subjects before the processing of their personal information takes place, and also to develop specific internal handling rules that regulate the processing of sensitive information including financial accounts, individual location and personal information of minors under 14.
PIPL’s new auditing requirement allows companies to ensure that they can carry out proactive internal monitoring of processing activities, allowing them to steer clear of criminal activities that involve personal information.
The key principles noted in the privacy law include:
Individuals must be allowed to withdraw their consent previously provided through an easy mechanism. Other newly established rights include the ability to limit/refuse the processing, and to request information about the extent of the processing and internal handling rules, and to request correction, deletion, and a copy of their personal information.
These rights extend to a deceased person’s next of kin who exercises them for their own lawful, legitimate interests.
Personal Information Impact Assessment (PIIA)
PIIAs are required when the processing involves (must be retained for at least 3 years):
Enforcement
At this moment in time, it has not been disclosed which authorities are responsible for the enforcement of PIPL requirements. However, there are severe sanctions for schools and organisations that do not comply with the new provisions. Inability to comply with the PIPL may lead to administrative fines of up to CNY 50 million or 5% of the annual turnover. Those directly responsible may also be subject to fines and more significantly, they may be prohibited from pursuing managerial positions in similar organisations for a period of time.
Read our Education Privacy Magazine for current data privacy and cybersecurity trends worldwide.
Extraterritorial Scope
The provisions set out by the PIPL have extraterritorial reach, meaning that non-Chinese international schools offering their services to China residents are called to comply with certain provisions of the law as well. The PIPL applies to the handling of personal information of natural persons within China, and to handling activities outside the borders:
What should schools in China be doing in light of the PIPL?
Schools should, at a minimum, (1) review data protection policies and procedures to understand the ways in which they need to be changed or the ones that need to be developed, (2) ensure these policies and procedures are fully implemented within the organisation, (3) ensure that the roles and responsibilities of staff are well allocated and known across the organisation, and (3) make cybersecurity a priority to prevent any security incidents.
How 9ine can help schools impacted by the PIPL?
Schools can book a free one hour workshop on how to implement change in their school in order to comply with the PIPL. Workshops are hosted by 9ines in-house experts, ensuring that instructional information can be supplied to senior leadership so that compliance can be managed and understood at an executive level. Commitment from senior leadership reassures staff that responsibility for compliance is shared cross departmentally, and internal support is accessible. In participating in one of 9ine’s strategic workshops, your school will be better equipped in tackling the implementation of new privacy provisions in China.
If you would like to speak directly with one of 9ine's consultants about what your school can do to prepare for the PIPL
China is well on its way to reaching 1 billion internet users, meaning that the country houses around 20% of all people on the internet to date....
Technology is transformative. In 2020 schools and universities worldwide are dependent on the IT infrastructure that supports them. As schools...
1 min read
Over the course of 2021, we wrote about a variety of upcoming privacy laws around the world. However, we can see that countries in Asia are likely to...