On August 20, 2021, the Standing Committee of China's National People's Congress promulgated China's Personal Information Protection Law (PIPL), which took effect November 1, 2021.
The sweeping law, which draws some parallels to the European Union's General Data Protection Regulation (GDPR), imposes heightened safeguards for the protection of personal information of its residents with extraterritorial scope, JD Supra reported. Therefore, the PIPL applies to entities both within and outside of China that process personal information on natural persons within the territory of China.
The measure impacts U.S. institutions with a physical site in China, particularly regarding how they have to register and engage in connection to data sharing. It also impacts any college or university in the U.S. that processes personal information of Chinese residents for the purposes of providing products or services to individuals in China; "analyzing" or "assessing" the behavior of individuals in China; or, as provided in Article 3 of PIPL, for other purposes to be specified by laws and regulations. As a result, any higher education institutions that, for example, obtain admissions' applications from Chinese citizens while the individual is located in China, conduct recruitment in China, respond to requests for information from individuals located in China, conduct research using data from Chinese citizens (that is not anonymized) or work with Chinese academic institutions or organization, may potentially be implicated by PIPL, according to JD Supra.
The detailed requirements under the PIPL have yet to be fleshed out by the Chinese authorities by way of Implementing Regulations/Rules, although some draft rules were released in the past few months. AACRAO intends to monitor these forthcoming developments and provide additional compliance guidance to institutions.
A second issue, related to recent U.S. regulations governing Controlled Unclassified Information (CUI), is also sparking confusion and concern. CUI is government-created or -owned sensitive, but unclassified information that must be protected from unauthorized disclosure. Most data sourced from the U.S. Education Department, including information used in the administration of Title IV aid programs, are considered CUI.
As part of the Federal Student Aid (FSA) office's multi-year phased implementation of its Campus Cybersecurity Program framework, the agency is working to update some of its guidelines and best practices to safeguard sensitive information, particularly as data breaches become more widespread. To help mitigate risks related to CUI, FSA issued recommended requirements for institutions receiving CUI from the department, encouraging colleges and universities to review and adopt the National Institute of Standards and Technology Special Publication 800–171 Rev. 2, Controlled Unclassified Information in Nonfederal Systems (NIST 800–171 Rev. 2) readiness and outreach activities.
The 110 CUI categories have been highly connected to research data and federal grants and now appear to be connected to Student Data.
AACRAO is working with Education Department officials to clarify the impact of the CUI regulations with regard to the Family Educational Rights and Privacy Act (FERPA).