Managing Business Related and Personal DataWhen Conducting Internal Investigations in China
In recent years, Mainland China has in quick succession introduced various legislation in the areas of data and personal information protection. At the same time, Chinese authorities have been seen to take wide ranging enforcement actions against corporations and individuals falling foul of the law, ranging from administrative inspections and targeted campaigns by administrative authorities, to criminal investigations by the police. According to publicly reported court judgements in Mainland China in the period of 2018 to 2020, there were more than 200 civil dispute cases of alleged personal information related infringement claims, and over 2,900 criminal cases involving abuse of personal information.
With the introduction of the new Data Security Law (DSL) (effective from 1 September 2021) and the Personal Information Protection Law (PIPL) (to come into effect on 1 November 2021), companies doing business in Mainland China may face more intense scrutiny on how business-related and personal data are handled when conducting internal investigations in Mainland China.
What are the challenges posed to an investigation by data related issues in Mainland China?
The prolific use of online communications technology and the availability of multiple social messaging apps in Mainland China have raised significant challenges to companies on how their employees are conducting business- and work-related communications. This in turn poses both systems control, regulatory compliance, and practical concerns as to the monitoring and collection of business-related data, and the extent to which personal data becomes intermingled with the same. Consequently, companies have met various obstacles in finding and securing important evidence while ensuring the investigation process and data collection measures are consistent with the constantly evolving laws and regulations in Mainland China. Typical scenarios include:
- Prevalent use of non-company issued devices for work related communications and business: Although communication records, emails and documentation for work related purposes are generally considered as company property, accessing such information that is stored electronically on non-company issued devices (laptops, mobile handsets, etc.) without the employee’s consent may be deemed by Chinese courts and regulators as infringing on the employee’s personal rights and interests residing in any personal information contained in these devices.
- Use of social messaging platforms with personal accounts for business and work purposes: Employees’ communications on personal accounts set up on social messaging platforms (such as WeChat, QQ and WhatsApp, etc.) via company issued or personal devices are not accessible to employers without the employees’ consent. Some social messaging platforms, such as WeChat, also allow users to make payments or send documents to others, which records are also not accessible to employers without employee’s consent. Hence, getting access to this data can be very difficult and employees sometimes object to this on data privacy grounds. Nonetheless, corporates continue to allow their employees to conduct business-related communications and to transfer business-related documents via employees’ personal accounts without sufficient compliance frameworks in place.
- Use of company-issued devices with dual SIM functions: As many new mobile phones allow users to use two SIM cards (i.e., two telephone numbers) simultaneously, employees often use both a company-issued SIM card and a personal SIM card in the same company-issued mobile phone. This creates some difficulty as to which SIM card has been used to conduct business-related communications and store business-related data. An employer will also not be able to access and review data contained in the employee’s personal SIM card without the card holder’s consent, even if the data in question is work related.
- Access to email servers within and outside of Mainland China: Multinational companies often have email servers sitting both inside and outside of Mainland China to serve their business operations in China. Chinese law, however, may impose certain cross-border transfer restrictions on a foreign company trying to access and review email server data within Mainland China as part of an internal investigation (noting that certain personal and non-personal information are subject to data localization restrictions). Accessing email servers located in Mainland China without a China data protection compliance program in place, or in the case of personal information of an employee without obtaining specific consent of the employee at the time (which can be problematic in an investigation context) may also violate certain data protection provisions under Chinese law.
- Workplace monitoring: Certain personal information protection considerations may arise when an employer conducts monitoring of business communications and wishes to use that data when gathering evidence for an investigation. It should be noted that Chinese law generally prohibits the conduct of monitoring without express consent, including using monitoring software on company-issued mobile phones or computers, recording employees’ telephone conversations, or tracking employees’ locations.
How can companies manage the handling of business related and personal data without jeopardizing an investigation?
- Obtain written consent from the relevant individuals if possible – Collection and handling of personal data (as well as business related data/communications intermingled with personal data) as part of an investigation without an individual employee’s consent may result in the affected employee bringing a lawsuit against the company or file complaints to various local authorities. The best time to give this notice, and get this consent, is at employee onboarding, as part of the standard employee privacy notice/consent. It can be more difficult to get such consent in the midst of an investigation.
- Involve local IT and legal teams to handle the locally stored server data: Ensuring that data stored and backed up to local servers are handled by the local entity’s local IT and legal teams based in Mainland China, instead of individuals based outside of Mainland China. This will help to avoid creating potential cross-border transfer issues.
- Redact personal data before cross-border transfer: Making redactions on any personal information identified during the investigation before sending relevant materials / data to any reviewers outside of China. However, as mentioned above, keep in mind that certain non-personal data is also subject to data localization restrictions.
What can companies do to reduce these risks and challenges in advance of any investigation?
A number of proactive steps can also be taken well in advance of any investigation:
- Establishing internal policies to require employees to use only company issued devices for work related communications and business, and around use of WeChat and similar platforms.
- At the employee on-boarding stage, have the employee agree to privacy and use of data notices and consents with sufficient scope to cover the collection, process, review, transfer and cross-border access/transfer of data for the purposes of investigations. The PIPL has introduced new “separate” consent requirements, on top of existing “express” and “explicit” consent requirements, for certain activities, meaning that organizations should be reviewing and updating their employee consent language before November 1, 2021.
- Provide training to the IT and legal teams regarding the relevant personal data protection laws in China including (given the extra-territorial effect of the DSL and PIPL) to China data stored outside of China.
- Consider setting up corporate accounts on social messaging platforms such as WeChat and mandating the use of the same for business- and work-related communications instead of use of personal accounts.
To learn more, please contact our Hong Kong and China based specialist investigation and data regulatory and disputes lawyers.