While it has been little over a year since China’s Personal Information Protection Regulation (“PIPL”) has taken effect, Chinese regulatory authorities have initiated over 350 PIPL enforcement actions, producing some important takeaways for U.S. higher education institutions. (We note that this analysis only covers enforcement at the national level and does not address the more than 1500 violations that have been issued by provincial authorities.)
In good news for higher education institutions, thus far, no PIPL enforcement actions have been brought against any educational institutions; the vast majority of PIPL enforcement actions have been against software application (“app”) providers. And in further good news for U.S. institutions that have no operations in China, all PIPL enforcement actions so far have been based on personal information handling activities that occurred within China’s borders.
Through analyzing the 350+ PIPL enforcement actions, it is possible to identify several types of violations most frequently subject to enforcement actions and potentially relevant to higher education activities. Of the 350+ enforcement actions, 31% included violations for the illegal or excessive collection of personal information. Additionally, 19% included violations related to privacy policies, including failure to have a privacy policy, failure to make a privacy policy easily accessible, and lack of clarity or transparency in a privacy policy. Around 15% of enforcement actions involved handling personal information in a manner that is misleading, deceptive, fraudulent, or coercive. Lastly, 3% of enforcement actions involved violations for sharing sensitive personal information without consent.
Only one enforcement action has resulted in administrative fines ($1.2B against Chinese ride-share company, DiDi, plus two individual fines of $148K imposed against DiDi’s Chairman/CEO and President), while the rest have mostly resulted in corrective orders requiring quick action. Corrective order compliance deadlines have varied on a case-by-case basis, ranging from 6 to thirty days, with Chinese regulatory authorities giving offenders, on average, fourteen days to comply with the corrective orders.
Even though there have been no PIPL enforcement actions against educational institutions and none based solely on personal information handling outside China, U.S. higher education institutions should not underestimate PIPL compliance risks and should not wait until they receive an urgent corrective order to begin implementing PIPL compliance measures. Given the types of most frequent violations described above, institutions would be well advised to take the following preventative measures:
Minimize the amount of personal information they collect and instill an organizational culture that insists upon collecting no more personal information than is strictly needed to fulfill specific, well-defined purposes;
Review their privacy policies to ensure they are accessible, clear, and include all information required by the PIPL; and
Ensure that they obtain consent before handling any PIPL sensitive personal information.