Don't Get Caught with Your IP Address Down: How University Websites Can Stay PIPL Compliant

The world is no longer just a global village - it's a (mostly) friendly neighborhood. Distance is no obstacle to collaboration and now more than ever people globally are seeking opportunities and experiences outside their home countries, especially in the area of higher education. This seems to be particularly true for millions of Chinese students who have chosen to study abroad over the last few years, particularly in the United States, Australia, the United Kingdom (UK), Canada, and Japan.

There were approximately 1.73 million Chinese citizens studying abroad in 2019 before COVID interrupted everyone's lives, sending foreign students back home. As the pandemic has eased they are slowly starting to return, particularly back to the UK where there were 134,625 Chinese citizens studying in the 2020/2021 academic year, representing the largest group of university-going non-UK students. This number has been steadily increasing, making China one of the most important countries of origin for international students in the UK.

This poses some interesting challenges for the IT support in universities as China has a series of cybersecurity and data privacy laws that, while similar to the General Data Protection Regulation (GDPR) in effect in the UK, have some unique requirements for institutions’ to be compliant.

The Personal Information Protection Law (PIPL) is the data protection regulation in China that places strict requirements on how organizations collect, use, store, and transfer the personal information of Chinese nationals. And they take violations of these laws very seriously.

The Rise and Stumble of Didi - China’s Clear Signal That They Are Taking PIPL Seriously.

In June 2021 the Chinese ride-hailing giant Didi Global became the subject of a cybersecurity review by the Cyberspace Administration of China (CAC). The investigation found that Didi had illegally collected and used personal data without users' consent and they were ordered to stop registering new users.

The company was forced to suspend its app downloads and was required to make changes to its operations and data management practices. They were also issued a fine. Didi did resume new user registrations in November 2021 but suffered a huge drop in their share price as well as great financial losses due to the interruption of their operations.

This incident, right at the time of the introduction of PIPL, became a clear indication that the Chinese government would be taking its data privacy laws seriously, and acting swiftly against violators.

And while Didi has its operations in China, these laws also apply to organizations outside of its borders.

Wait a Minute! Even If We Are Not Based In China We Have To Be Compliant?

PIPL is a national law with extraterritorial scope, meaning it applies to entities doing business both within and outside of China. Even if your organization is not physically located in China, if you are collecting or tracking any of the personal information of Chinese nationals, your website and IT systems are required to be PIPL compliant.

The definition of personal information under the PIPL is broad and includes:

• Personal information such as name, date of birth, identification number, and passport number.
• Biometric information such as fingerprints, facial recognition data, and voiceprints.
• Communication information such as an address, phone number, and email address.
• Personal characteristics such as gender, race, ethnicity, and religious beliefs.
• Behavioral information such as browsing and search history.
• Personal credit information such as credit history and credit score.

Universities As Well?

PIPL does not provide any specific exemptions for higher education institutions - they are subject to PIPL if they process the personal information of Chinese residents to provide products or services to, or “analyze” or “assess” the behavior of, individuals in China.

Any higher education institution that, for example, receives admissions applications from Chinese citizens in China, recruits students in China, responds to requests for information from individuals in China, or conducts research using identifiable data from Chinese citizens has to ensure their website and practices are PIPL compliant.

Higher education institutions are subject to the overarching principles of the law and are required to comply with its requirements to protect personal information.

What Can Happen If We Are Not Compliant?

Foreign universities wanting to attract Chinese students spend a lot of time and money on a range of recruiting activities from ensuring a strong online presence, advertising on Chinese search engines like Baidu, and social media platforms like Weibo, to attending education fairs in China, working with Chinese agents and even establishing dedicated offices and staff in China to manage their marketing and recruitment efforts in the country.

Failing to comply with PIPL regulations can jeopardize all of these activities and create serious reputational risk and financial loss for the institution. While the Chinese government may not have direct jurisdiction over universities outside of China, they can still take action against violators of PIPL within their own borders.

For example, non-compliant websites face the threat of being blocked in China through a system known as the Great Firewall of China which uses a combination of technological and regulatory measures to monitor and control the flow of information on the internet in China.

The Chinese government may also take action against that university's operations in China, closing down any local offices, terminating local partnerships or agency agreements, and refusing visas to conduct recruiting activities there. This could include banning them from participating in Chinese government-funded research or programs or imposing financial penalties.

There have been a number of instances of UK universities falling foul of PIPL. For example in 2018 and 2019 the Universities of Cambridge and Oxford faced criticism from Chinese officials for using third-party apps and software that collected personal information without proper consent from users.

They were forced to issue apologies and bring their practices into alignment with PIPL. They received significant negative publicity in China and faced criticism from Chinese officials and media.

We’re Convinced. What Do We Need To Do?

While it can seem overwhelming, getting your website PIPL compliant requires a few strategic steps. It is helpful to work with a partner that is both familiar with PIPL and who has IT expertise to put the necessary systems and processes in place. Some of the steps you will need to do include:

• Conduct a comprehensive audit of all personal information collected, processed, and stored by the university on Chinese citizens.
• Review and update the university's data protection policies and procedures to ensure compliance with the requirements of PIPL.
• Appoint a data representative located in China to serve as a point of contact for regulatory authorities and data subjects in China. Again, you will need to partner with IT teams that have existing networks and connections in China.
• Obtain valid consent from Chinese citizens whose personal information is being collected, processed, or stored by the university.
• Implement technical and organizational measures to protect personal information, including access controls, encryption, and data backup and recovery.
• Monitor compliance with PIPL and regularly review and update data protection policies and procedures to ensure ongoing compliance. Having an external partner specializing in IT operations in China can be very useful here, as they can keep you updated with any changes in the law and recommend necessary process changes.

With Great Opportunities Come Great Responsibilities

Ensuring that university websites are compliant with PIPL is essential for institutions that welcome foreign students, especially those from China. By taking steps to comply with PIPL, universities can not only protect the privacy rights of their students but also foster a culture of trust and accountability, and in doing so, they can attract and retain students from around the world.

Choosing the right partner to help you become PIPL compliant is critical, bringing the right balance of IT expertise and skill along with knowledge of and experience in Chinese law and business operations. QTS Global has partnered with countless organizations and institutions as they have expanded to do business with China.