There were approximately 1.73 million Chinese citizens studying abroad in 2019 before COVID interrupted everyone's lives, sending foreign students back home. As the pandemic has eased they are slowly starting to return, particularly back to the UK where there were 134,625 Chinese citizens studying in the 2020/2021 academic year, representing the largest group of university-going non-UK students. This number has been steadily increasing, making China one of the most important countries of origin for international students in the UK.
This poses some interesting challenges for the IT support in universities as China has a series of cybersecurity and data privacy laws that, while similar to the General Data Protection Regulation (GDPR) in effect in the UK, have some unique requirements for institutions’ to be compliant.
The Personal Information Protection Law (PIPL) is the data protection regulation in China that places strict requirements on how organizations collect, use, store, and transfer the personal information of Chinese nationals. And they take violations of these laws very seriously.
In June 2021 the Chinese ride-hailing giant Didi Global became the subject of a cybersecurity review by the Cyberspace Administration of China (CAC). The investigation found that Didi had illegally collected and used personal data without users' consent and they were ordered to stop registering new users.
The company was forced to suspend its app downloads and was required to make changes to its operations and data management practices. They were also issued a fine. Didi did resume new user registrations in November 2021 but suffered a huge drop in their share price as well as great financial losses due to the interruption of their operations.
This incident, right at the time of the introduction of PIPL, became a clear indication that the Chinese government would be taking its data privacy laws seriously, and acting swiftly against violators.
And while Didi has its operations in China, these laws also apply to organizations outside of its borders.
PIPL is a national law with extraterritorial scope, meaning it applies to entities doing business both within and outside of China. Even if your organization is not physically located in China, if you are collecting or tracking any of the personal information of Chinese nationals, your website and IT systems are required to be PIPL compliant.
The definition of personal information under the PIPL is broad and includes:
PIPL does not provide any specific exemptions for higher education institutions - they are subject to PIPL if they process the personal information of Chinese residents to provide products or services to, or “analyze” or “assess” the behavior of, individuals in China.
Any higher education institution that, for example, receives admissions applications from Chinese citizens in China, recruits students in China, responds to requests for information from individuals in China, or conducts research using identifiable data from Chinese citizens has to ensure their website and practices are PIPL compliant.
Higher education institutions are subject to the overarching principles of the law and are required to comply with its requirements to protect personal information.
Foreign universities wanting to attract Chinese students spend a lot of time and money on a range of recruiting activities from ensuring a strong online presence, advertising on Chinese search engines like Baidu, and social media platforms like Weibo, to attending education fairs in China, working with Chinese agents and even establishing dedicated offices and staff in China to manage their marketing and recruitment efforts in the country.
Failing to comply with PIPL regulations can jeopardize all of these activities and create serious reputational risk and financial loss for the institution. While the Chinese government may not have direct jurisdiction over universities outside of China, they can still take action against violators of PIPL within their own borders.
For example, non-compliant websites face the threat of being blocked in China through a system known as the Great Firewall of China which uses a combination of technological and regulatory measures to monitor and control the flow of information on the internet in China.
The Chinese government may also take action against that university's operations in China, closing down any local offices, terminating local partnerships or agency agreements, and refusing visas to conduct recruiting activities there. This could include banning them from participating in Chinese government-funded research or programs or imposing financial penalties.
There have been a number of instances of UK universities falling foul of PIPL. For example in 2018 and 2019 the Universities of Cambridge and Oxford faced criticism from Chinese officials for using third-party apps and software that collected personal information without proper consent from users.
They were forced to issue apologies and bring their practices into alignment with PIPL. They received significant negative publicity in China and faced criticism from Chinese officials and media.
While it can seem overwhelming, getting your website PIPL compliant requires a few strategic steps. It is helpful to work with a partner that is both familiar with PIPL and who has IT expertise to put the necessary systems and processes in place. Some of the steps you will need to do include:
Ensuring that university websites are compliant with PIPL is essential for institutions that welcome foreign students, especially those from China. By taking steps to comply with PIPL, universities can not only protect the privacy rights of their students but also foster a culture of trust and accountability, and in doing so, they can attract and retain students from around the world.
Choosing the right partner to help you become PIPL compliant is critical, bringing the right balance of IT expertise and skill along with knowledge of and experience in Chinese law and business operations. QTS Global has partnered with countless organizations and institutions as they have expanded to do business with China.