In August 2021, China announced a set of expansive data protection policies emulating EU’s General Data Protection Regulation (GDPR). First came the Personal Information Protection Law (PIPL), which restricted the transfer of personal data of Chinese citizens across the border. The law kicked in in November 2021 which gave companies very little time to comply.
Like in GDPR, companies were required to submit themselves to a security clearance assessment conducted by Chinese regulators before transferring data and would have to appoint local representatives to handle privacy issues. So what are the dos and don’ts in regard to PIPL?
Personal Information Protection Law ('PIPL') regulates those collecting and handling personal information. For companies processing employee data, a robust data security system should be integrated into the IT infrastructure and in line with PIPL.
Whilst PIPL largely affects companies handling consumer data, employers are not immune from PIPL and should be fully compliant to mitigate risks. Specifically, the Civil Code of the People's Republic of China amended in 2020 defines personal information as the below.
'Personal information refers to any information electronically or otherwise recorded that can be used, either alone or in combination with other information, to identify a specific natural person, including the name, date of birth, identification document number, bio-metric information, address, telephone number, email address, health information or whereabouts of the natural person.' (Article 1032)
Therefore, employers should strengthen internal employee data management systems to secure employees' data. At Horizons, we have been advising companies in formulating compliance mechanisms. In the below, we outline the main dos and don'ts of processing employee data from our experience.
DO IMPLEMENT A CLASSIFICATION MANAGEMENT
Companies should review the existing personal information of employees and classify the information according to the level of sensitivity. Under PIPL, employers are not required to obtain employees' consent where it is necessary for carrying out human resources management under an employment policy legally established or collective legally concluded (Art. 13). However, separate consent is required for the handling of information that is not included in employment policies or labour contracts. Namely, companies processing sensitive information that is not included in human resources management (including religious beliefs, biometrics, specific identities, medical and health and financial accounts, whereabouts, and other information of a natural person) will need to obtain a separate consent and sensitive personal information are subject to stricter measures.
We suggest companies utilize a classification system for the personal information held and establish robust policies to process the data according to PIPL.
DON'T OVERLOOK TECHNICAL SECURITY MEASURES
Companies should have already established cyber security measures under the Cyber Security Law ('CSL') effective from 2017. Specifically, the network system should be protected from cyber-attacks and leakage. Regularly reviewing the IT system and updating equipment and software are essential for companies to be safeguarded from new forms of cyber-attacks.
Equally, contracting the processing of personal information to third parties can be vulnerable areas. We advise companies to review related contracts/agreements to ensure third parties do not infringe on personal privacy rights. If necessary, clauses should be redrawn to comply with PIPL and CSL.
DO ASSESS CONTROL AND SCHEDULE REGULAR TRAINING
Where necessary, companies may only transfer personal information outside of mainland China by meeting one of the conditions in Article 38 of PIPL.
- Where a security assessment organized by the national cyberspace authority has been passed under Article 40 of this Law;
- Where certification of personal information protection has been given by a professional institution in accordance with the regulations of the national cyberspace authority;
- Where a contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties; or
- Where any other condition prescribed by law, administrative regulations, or the national cyberspace authority is met
- Where there is any stipulation on the condition or any other stipulation for the provision of personal information to a recipient outside the territory of the People's Republic of China in any international treaty or agreement concluded or acceded to by the People's Republic of China, such stipulation may apply.
Though the national cyberspace authority has not issued the aforementioned materials yet, companies must draft a control mechanism and regular training for related personnel-in-charge to ensure international data transfer complies with PIPL and forthcoming regulations.
DON'T NEGLECT INCIDENTS EMERGENCY RESPONSE PLAN
The amended Civil Code addresses the protection of personal information and the right to privacy. Privacy is defined under the Civil Code as the following:
The private life of a natural person is not to be intruded upon, as well as any private space, private activity, or private information of the natural person that he or she does not want to be known by others. [And] no organization or individual may, by means of spying, intrusion, exposure, disclosure, or otherwise, infringe upon another's right to privacy. (Article 1032)
In other words, employers must protect the employee's personal information and their right to privacy when handling employees' data. As a result, companies should not neglect to implement an incident emergency response plan to demonstrate their commitment to protecting personal information. The company may utilize the emergency response plan provisions under CSL as guidelines.
Both the amended Civil Code and PIPL call for employers to strictly regulate the handling of employees' personal information. Specifically, a comprehensive internal governance system should be established to migrate penalties. Failure to perform obligations under the PIPL can be subject to a fine of CNY 1 million on the violator and any person in charge or another individual directly involved will face fines between CNY 100,000 and CNY 1 million, as well as be suspended from serving as director, supervisor, senior officer, or personal information protection officer of an enterprise for a period of time.