On September 6, 2023, the Cyberspace Administration of China (CAC) imposed a fine of RMB 50 million (approximately $7 million USD) on the operators of China National Knowledge Infrastructure (CNKI), an academic database, for the illegal handling of users’ personal information.
This appears to be only the second time that the CAC has fined an entity for non-compliance with the Personal Information Protection Law (the other being when the CAC fined Didi, a Chinese ride-hailing company, $1.2 billion in July 2022).
On September 6, 2023, the Cyberspace Administration of China (CAC) imposed a fine of RMB 50 million (approximately $7 million USD) on the operators of China National Knowledge Infrastructure (CNKI), China’s largest academic database. CNKI is primarily operated by three companies - Tongfang Knowledge Network (Beijing) Technology Co., Ltd, Tongfang Knowledge Network Digital Publishing Technology Co., Ltd, and China Academic Journals (CD Edition) Electronic Publishing House Co., Ltd. Together, the three companies operated 14 apps that the CAC found were used for activities prohibited by the Personal Information Protection Law (PIPL), such as collecting personal information in violation of “necessary principles” or without consent, failing to publicly disclose or clearly state collection and usage rules, failing to provide an account cancellation function, or not promptly deleting user personal information after account cancellation. The CAC ordered the companies to immediately cease the illegal handling of personal information and imposed the maximum (non-revenue-based) fine authorized under the PIPL.
The decision follows an ongoing investigation of CNKI by the CAC, which began in 2022 and resulted in the April 2023 suspension of several foreign (U.S., Taiwan, and Hong Kong) universities and research institutes’ access to the academic databases maintained by CNKI. In that case, however, the suspension appeared to be related to the non-compliant cross-border transfer of data, whereas the recent fine is based on collecting personal information without consent and failing to provide proper privacy notices. The suspension remains in place while the CAC conducts a cross-border transfer assessment in compliance with applicable laws. The assessment, which CNKI said would take 3-6 months to complete, appears to be ongoing.
This is only the second time that the CAC has issued a fine based on the PIPL, which took effect November 1, 2021. The CAC issued the first fine more than a year ago, on July 21, 2022, when it fined China’s leading ride-hailing company, Didi, RMB 8.026 billion (approximately $1.2 billion USD) for violations of the Cybersecurity Law, the Data Security Law, and the PIPL. The CAC also imposed a personal fine of RMB 1 million (approximately $140,000 USD) on Didi's chairman and CEO Cheng Wei and President Liu Qing.
Some academics have suggested that the CAC may have targeted CNKI under the guise of data privacy compliance in an effort to stem the flow of research data from China to foreign countries. As one professor was recently quoted in Times Higher Education article, “Whether [data privacy compliance] is the real reason for the procedure or whether it is about stronger censorship will be shown by whether at least the same – already restricted – access is restored.” While many institutions were initially hopeful that the issues leading to the April 2023 suspension would ultimately be resolved by implementing relatively minor changes, such as by adding new terms to CNKI’s contracts with institutions to allow the transfer of data from China to the U.S., the CAC’s latest enforcement action and fine against CNKI cast a shadow of doubt. If the CAC is in fact targeting CNKI in an effort to stem the flow of research data from China to foreign companies, the CAC could conclude its cross-border transfer assessment by indefinitely prohibiting CNKI from allowing U.S. institutions to access the currently suspended services (for example) on the basis that U.S. laws and regulations do not sufficiently protect the data CNKI transfers to U.S. institutions.
Whatever the Chinese government’s motive may be, with both the Didi and CNKI fines, the CAC has indicated that it will continue to strengthen enforcement in the areas of cybersecurity, data security and personal information protection. Furthermore, with its fine against CNKI, the Chinese government has made it clear that the PIPL’s maximum fines are not exclusively reserved for giant tech companies that are most frequently the subject of maximum fines under other nations’ comprehensive data privacy laws, such as the EEA’s General Data Protection Regulation. This may be the first PIPL fine in the education sector, but it’s unlikely to be the last. As always, U.S. institutions of higher education should continue to ensure that all of their activities comply with PIPL and other relevant data security laws.