Protection of Employee Personal Information in China
This article was originally published in Practical Law, July 2024 and is reproduced with permission from the publisher. For further information, visit www.practicallaw.com.
Recent years have seen strides in the protection of personal information. As people in China (PRC) are becoming increasingly concerned about the safety and security of their personal data, employers must cautiously deal with the legal issues arising out of the daily monitoring and management of their employees.
This Note gives an overview of the ever-evolving regulatory landscape regarding workplace privacy and data protection of employees in China. It summarises six principles that employers are advised to follow when collecting or handling personal information of employees in the day-to-day operation. Moreover, it touches on the main implications of employee personal information protection for employers, discusses the principal employee-related privacy risks and analyses certain pitfalls that may be overlooked by employers, through the process of recruiting an employee to ending the employment. It also clarifies the civil, administrative and criminal liabilities employers may incur for unproperly collecting, processing, transferring and deleting employees' personal data or violating privacy of employees.
Employee Personal Information Protection: Legal Framework
General Legislation
In 2012, the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection 2012 for the first time expressly set out that electronic information by which individual citizens can be identified and which involves the individual privacy of citizens is legally protected (Article 1). Accordingly, when gathering and using the electronic personal information of citizens in business activities, enterprises should:
- Abide by the principles of "legality, legitimacy and necessity."
- Explicitly state the purposes, methods and scopes of collection and use of electronic personal information of citizens.
- Obtain the consent of those from whom information is collected.
- Disclose the rules for collecting and using electronic personal information of citizens.
(Article 2.)
The subjects listed in Article 2 are network service providers and other enterprises and institutions. However, the terms of "network service providers" and "network" are broadly defined or used in China. Therefore, most enterprises will be subject to these requirements.
In 2015, the Amendment (IX) to the Criminal Law 2015 incorporated criminal sanctions for infringing personal information of citizens, under which anyone who illicitly sells, provides personal information with third parties or illegally obtains personal information of a citizen will be sentenced to fixed-term imprisonment and/or a fine (Article 253(I)). (See Legal Update, Criminal Law amendment: new individual and corporate offences for data privacy and cybersecurity violations.)
On 1 June 2017, both the Cybersecurity Law 2016 (2016 CSL) and the Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information 2017 (2017 Interpretation) officially came into force, further perfecting the legal framework and offering definitions of "personal information."
(For more information on the 2016 CSL, see Legal Update, China passes Cybersecurity Law.)
The 2016 CSL defines "personal information" as "all kinds of information recorded in an electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person's personal identity, including but not limited to the natural person's name, date of birth, identity certificate number, biology-identified personal information, address and telephone number" (Article 76(5)).
The 2017 Interpretation elaborates on the criteria for the determination of infringing on citizens' personal information in China's then effective Criminal Law and broadens the definition of personal information. According to the 2017 Interpretation, the term "personal information of a citizen" as prescribed in Article 253(I) of the Criminal Law means any information, individually or combined with other information, that can identify a specific natural person's personal identity or reflect a specific natural person's activities, including communication and contact information, address, account password, property status, and whereabouts (Article 1). Whoever provides any citizen's personal information legally collected to any other person without the consent of the person whose information is collected must fall within the scope of "providing citizens' personal information" as prescribed in Article 253(I) of the Criminal Law, except if the information has been processed in a manner that it is impossible to distinguish a specific person and it cannot be retraced (Article 3).
Subsequently, in October 2017, the General Provisions on the Civil Code 2017 (2017 Civil Code Provisions) made it clear that the basic civil rights of personal information are endowed to citizens. Article 111 of the 2017 Civil Code Provisions clearly required that the personal information of a natural person must be protected by laws and that any organisation or individual needing to obtain the personal information of other people must ensure the security of that information, and must not illicitly collect, use, process, or transfer the personal information of other persons, nor illegally buy, sell, provide, or publish the personal information of other people. Despite the 2017 Civil Code Provisions being repealed by the Civil Code of the PRC 2020 (2020 Civil Code) from 1 January 2021, the latter inherits the same provision from the former in this regard.
In addition, the 2020 Civil Code has incorporated personality rights provisions into an independent section (Part Four, Chapter Six, Articles 1032-1039) and extended privacy protection. Article 1034 sets forth that personal information is legally protected, expands the scope of personal information by including "email address" and states that sensitive information is provided with privacy rights protection. Under Article 1035, the preconditions with which personal information may be collected and used are as follows:
- Obtaining consent of the natural person or the individual's guardian.
- Adhering to the principle of openness for information collection and processing.
- Making clear the purpose, means and scope of information for collection and processing.
- No violation of law or administrative regulations or mutual agreements.
2021 PIPL
On 20 August 20 2021, the Personal Information Protection Law 2021 (2021 PIPL) was passed by the National People's Congress (NPC) Standing Committee, with effect from 1 November 2021. Before the 2021 PIPL, China did not have a comprehensive data privacy law regulating on the protection of individuals' personal information. Though with the 2016 CSL and the 2020 Civil Code, there were piecemeal provisions touching on the general protection of personal information. The promulgation of the 2021 PIPL marks the first comprehensive legal regime that is in place regulating the protection of personal information in China. Below are some key points that employers should bear in mind for the law.
Broadened Definition
The 2021 PIPL further broadens the definition of "personal information," referring it to any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, excluding anonymised information (Article 4). By anonymisation, it means the personal information is processed to make it impossible to identify specific natural persons and impossible to restore. In addition, the 2021 PIPL emphasises the particular protection towards "sensitive personal information." Sensitive personal information is defined as personal information of which the leakage or illegal use could easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, with inexhaustive examples listed such as information on:
- Biometric identification.
- Religious beliefs.
- Specific identity.
- Medical health.
- Financial accounts.
- Personal whereabouts.
- Minors aged under 14.
A company may encounter different kinds of the above-mentioned personal information during its daily operation, and employee personal information is part of that. For instance, an employer needs to collect an employee's bank account information for payroll which would be considered as sensitive personal information.
Extra-Territorial Effect
The 2021 PIPL is intended to have extra-territorial effect (Article 3). It also applies to the processing of personal information of natural persons within the territory of China that is carried out outside the territory of China in any of the following conditions:
- For the purpose of providing products or services to natural persons located within China.
- Analysing or assessing the conduct of natural persons located within China.
- Under any other circumstance as provided by any law or administrative regulation.
If foreign entities process the above-mentioned personal information, either a specific institution should be set up or a representative should be designated within China to handle relevant affairs of personal information protection (Article 53).
Processing Basis
The 2021 PIPL includes additional legal grounds for processing personal information in addition to the general "consent-based" approach. Employers who obtain employees' consent in order to collect any employee personal information may face the situation where an employee withdraws their consent, leaving the employer with no basis to process this employee's personal information. This issue might no longer be a concern with alternate legal bases added, including where:
- The processing is necessary for the conclusion or performance of a contract or necessary for human resources management according to lawfully formulated labour rules and regulations and lawfully concluded collective contracts.
- The processing is necessary to fulfill statutory functions or statutory obligations.
- The processing is necessary to respond to public health emergencies or to protect the life, health or property safety of natural persons under emergency circumstances.
- The processing of public personal information that has been disclosed voluntarily by employees themselves or disclosed lawfully otherwise within a reasonable scope in accordance with the 2021 PIPL.
(Article 13)
Among the four above-mentioned exemptions, the first one is directly related to employee data. However, it will be prudent to still obtain consent as an alternative basis to process employee data, especially sensitive personal data, as the precise scope of these additional bases to process data are yet to be clarified. Employers should consider the necessity of employee personal information to be processed without consent, either for conclusion or performance of a labour contract or human resources management, and ensure its labour rules and regulations or collective contracts enable it to process such data.
Employers may argue that processing of employee personal information for social insurance and housing fund contributions fall under not only the first exemption, but also the second exemption as it is statutory obligation for employers to make contributions.
Employee Consent
Where employee consent is required, before collecting and using the personal information of employees, employers should explicitly notify employees of certain items, such as:
- Name and contact information of the data controller.
- The purposes and methods of processing of personal information.
- Categories and retention periods of personal information to be processed.
- Methods and procedures for employees to exercise their rights enshrined in the 2021 PIPL.
(Article 17)
If sensitive personal information is involved, employers are required to notify employees of the necessity of the processing of sensitive personal information and any impacts on employees' rights and interests as well (Article 30).
Another point to note is that it would be insufficient for employers just to have employees' consent to the processing of personal information once and for all. In the past, the common practice of employers is to obtain the consent and authorisation of the employees once in the process of hiring and induction, such as obtaining the candidates' consent to the collecting, storing, processing, transferring, verifying, and even further updating the information related to the candidates' position within the reasonable limits prescribed by laws through application forms which need to be filled out by candidates, or adding clauses of "authorisation of data use" in employment contracts to obtain the employees' written consent. Nevertheless, the 2021 PIPL mandates that a separate notice should be obtained when:
- Providing employee personal information to a third party (Article 23).
- Disclosing employee personal information (Article 25).
- Processing sensitive personal information (Article 29).
- The personal information will be transferred to locations outside the PRC (Article 39).
However, it remains unclear what "separate" consent means in practice, and employers should await further guidance on this. It would seem logical that separate consent is different from general consent or bundled consent, but it remains to be seen how separate it needs to be.
Legislation in Employment Areas
The Labour Contract Law of the PRC 2012 (2012 Labour Contract Law, with effect from 1 July 2013) states that when establishing an employment relationship, an employer has the right to know certain basic information of the employee(s) that directly relates to the employment contract and must keep a roster of employees for inspection (Articles 7 and 8).
As to the scope of basic information of an employee, currently there is no national law specifically defining what kind of personal information is "directly related to the employment contract." At a local level, the specificities of relevant provisions which elaborate further on the definitions also vary among different provinces (municipalities). For instance, Shanghai and Jiangsu require that employees should provide the information about their health conditions to the employers, while in Beijing, the right to know employees' physical health is not enshrined in the local law.
Area |
Legislation |
Employer's Right to Know |
Shanghai | Regulation of Shanghai Municipality on Labour Contracts 2001 (with effect from 1 May 2002) (Article 8) | The employee's physical health, knowledge, skills and working experience, and so on. |
Jiangsu | Regulation of Jiangsu Province on Labour Contracts 2013 (Article 11) | The employee's situation on employment status, health conditions and non-compete liabilities in direct connection with the labour contract, and the person's resident identity, education background, work experience and occupational skills. |
Beijing | Provisions of Beijing Municipality on Labour Contracts 2021 (Article 10) | The employee's identification documents, academic records, and evidence of their employment background, work experience, vocational skills and so on. |
There is a lack of uniformity in the local interpretations on what kind of personal information is "directly related to the employment contract." However, in practice, an employee usually must provide the employee's name, living address, ID number or the number of other valid identity certificates and information relating to the person's working experience or qualifications to the employer when entering into the employment contract. For information about health conditions, the Circular on Further Regulating Physical Examinations for Enrolment and Employment Purposes and Protecting the Rights of Hepatitis B Surface Antigen Carriers to Enter Schools and Seek Employment 2010 makes it clear that employers, other than those in special occupations as approved and announced by the Ministry of Health (a disbanded predecessor of the National Health and Family Planning Commission, which was further replaced by the National Health Commission in 2018) must neither request candidates to undergo HBV tests in physical examinations for employment purposes or submit medical reports for HBV tests, nor ask them whether they are HBsAg carriers. To eliminate gender discrimination, China has passed a rule banning employers from inquiring about a female applicant's marital and childbearing status (Article 2, Circular on Further Regulating Recruitment Practices to Promote Female Employment 2019).
In addition to the laws regulating on what kind of personal information employers are eligible to obtain, the Regulation on Employment Services and Employment Management 2022 also requires that an employee's personal data must be kept confidential and not be made public without obtaining the employee's written consent (Article 13).
Key Principles of Employee Personal Information Protection
Article 41 of the 2016 CSL stipulates that network operators need to abide by the six principles of:
"legality, legitimacy, necessity, openness and transparency for collection and use, explicitly indicating the purposes, means and scope of collecting and using information, and obtaining the consent of the persons whose information is collected."
Prior to the 2021 PIPL, employers would also refer to the Information Security Technology – Personal Information Security Specification (Specification) issued by the National Information Security Standardisation Technical Committee (TC260) for best practice in this area. The latest version of the Specification (GB/T 35273-2020) was released on 6 March 2020, with effect from 1 October 2020, replacing the 2017 version (GB/T 35273 – 2017) (see Legal Update, TC260 issues amended personal information security standard). The Specification is not legally binding but is a detailed guideline recommend by the authorities.
Articles 5–9 and Article 19 of the 2021 PIPL incorporated most principles in the Specification. Below are the interpretations of the key principles for processing employee personal information.
Clear and Reasonable Purposes: Lawfulness, Legitimacy, Necessity and Good Faith
Employers should have clear and reasonable purposes in processing employees' personal information and process personal information for lawful, legitimate and necessary purposes, without misleading, fraudulence or coercion.
Limitation and Minimisation
Employers must process personal information directly related to the processing purpose and merely process the minimum categories and amount of personal information necessary to achieve such purposes authorised and consented to by employees. Generally, employers can only retain the personal information for the shortest period necessary to achieve these purposes.
Open and Transparent
Employers should disclose the scope, purposes, methods, rules and so on in respect of the processing of personal information to employees in an explicit, easily understandable and reasonable manner.
Accuracy and Accountability
When processing personal information, employers should guarantee the quality of personal information, avoiding any inaccuracy or incompleteness. An employer should ensure the security of employees' personal information by taking sufficient management measures and technological approaches to safeguard the confidentiality, completeness and availability of employees' personal information, and bear liabilities for any damage caused by its processing personal information of employees.
Typical Implications of Employee Personal Information Protection
Notwithstanding the promogulated regulations' reiteration of personal information protection, abuse of personal data is still pervasive in China. A huge amount of personal information may be obtained or disclosed daily without the owners' consent or beyond the principle of necessity. Below are different scenarios in which employee personal information is collected, used, shared, restored, modified and deleted, covering best practices on workplace privacy prescribed by laws, regulations, and recommended standards.
Hiring and Interview
Usually, the employer will ask applicants who are considered for employment to provide their resumes and attend interviews, which entails the personal information such as biographical data, contact details, academic credentials and work experience to be shared by applicants. For some special occupations and positions, employers may require applicants to provide their qualification certificates (such as a CPA certificate) or even non-criminal records (most requested for people serving as directors, supervisors, or senior managers of a company). For candidates who fail to be employed by employers after the hiring and interview process, whether employers can claim the processing of such personal information is necessary for concluding a contract to which the candidate is the contracting party is arguable and remains to be clarified. Before inquiring about an applicant's personal information, it is advisable for an employer to obtain the applicant's written consent to providing such information for the purpose of hiring first. The employer should also make sure that the information required be directly related to the employment contract and within the limits of necessity and legitimacy (see Checklist, Information Needed to Draft an Employment Contract: China). Except for information provided voluntarily by applicants, employers are not entitled to inquire about information not directly related to the employment contract, such as marital status, children, religious beliefs and personal preferences of applicants. Although it is perfectly understandable that a candidate may be required to disclose social relationships that may cause conflicts of interest with an employer, requiring a candidate to list all the individual's family members' information is of questionable legality.
Moreover, in some circumstances, employers may obtain the information of applicants from third parties such as headhunters or recruiter companies. To obtain and process personal information indirectly, employers should confirm with these third parties the legitimacy of the sourcing of information and the separate and explicit consent of applicants in respect of the sharing and processing of personal information. If the employer's use of applicants' personal information goes beyond their previous consent given to the third parties, the employer should obtain specific consent from the applicants separately. When using a headhunting service, to manage compliance risk, employers should evaluate headhunters' ability of protecting personal information of the applicants, and specify both parties' liabilities regarding personal information protection in the headhunting service contract.
Background Check
Commonly, before making a job offer to a prospective employee, employers will run background checks on applicants themselves or use a professional agency to conduct background and reference checks on potential candidates to verify the information provided by the candidates. In either case, employers are advised to obtain the candidate's written consent in advance, expressly notifying the candidate of the purpose, scope, retention period of using the individual's personal information, and whether to disclose the personal information to other third parties, and so on. A brief written consent form signed by the candidate is a minimum prerequisite for employers to inquire information from the candidates' previous employers.
Meanwhile, the employer should reach agreement with the third-party agency on the purpose, processing period and method, categories of personal information, protective measures as well as the rights and obligations of both parties. Employers should monitor the processing activities of third parties, at least to make sure they do not disclose the candidates' personal information to others or violate other provisions under the 2021 PIPL.
Health Check
Pursuant to the 2021 PIPL, information concerning health and physiology is deemed to be sensitive personal information. Without separate consent, an employer should not obtain the candidate's medical history for positions where a pre-employment health check may be unnecessary for performing duties. If an employer requires the candidate to undergo a health check, as it remains to be seen if the exemption of human resource management and contract conclusion will cover sensitive personal information, employers are advised to obtain the explicit and separate consent of the employees and candidates before conducting any physical examinations and obtaining their' medical reports after the health check. For prudent considerations, the employer is suggested to require the candidates or employees to provide the reports rather than collecting the reports directly from hospitals.
Meanwhile, an employer may consider clarifying the scope of employees' personal information that the company has the right to collect and stating its right to verify the personal information provided by employees under certain circumstances in its internal rules and regulations. For example, employers can add clauses in employment contracts or handbooks requiring that employees applying for sick leave must provide materials of proof such as sick leave slips and medical certificates.
Employee Induction
During the induction process, the employee may be requested to fill in a written document such as a personal information registration form. Notwithstanding that the behaviour of the employee to fill in such documents can be deemed as giving consent to the employer to collect the person's personal information, the minimum principle should still be followed. The employer should avoid proactively collecting information not directly relating to the job such as marital status or religious beliefs. If an employee provides false information that is not directly related to the employment contract in this step, considering the disparity between the employer and the employee, there are rulings holding that the employer cannot dismiss the employee for not providing personal information that is not directly related to the contact faithfully.
Internal Supervision and Investigation
Digital surveillance technologies have allowed for monitoring of employees to an extent previously impossible, putting personal privacy at stake. Video surveillance in a daily work area appears to be excessive for employees as it may infringe on their privacy. Some employers deploy biometric systems such as facial recognition tracking time and attendance of employees. As biometric identified or identifiable information like facial images or fingerprints is personal sensitive information listed in the 2021 PIPL, employers' use of facial biometrics in such recording systems is also advised to seek prior permission from employees (obtaining separate written consent in an express and explicit way) and adhere to the principles of necessity and minimisation. If there are alternative systems in place to achieve employers' objectives without the use of biometric information, employers must avoid the implementation of such electronic systems. In the case of using third-party service of face recognition, employers should notify employees of such third party's name, contact information, purposes and methods of processing, and categories of personal information to be processed, and obtain employees' separate and explicit consent. In addition, employers should conduct a personal information protection impact assessment and enter into a service agreement with the third party, specifying the scope of use of sensitive personal information, division of rights and obligations, confidentiality obligations, retention period of sensitive personal information, deletion obligations at the termination of service and so on.
To oversee employees' working behaviours and performance, employers may also monitor company computers, company mobile phones, and track company cars used by employees, which will involve the personal information of employees. As the records and content of personal communications contained in company devices or the whereabouts and tracks of the employees may be counted as sensitive personal information by the 2021 PIPL, employers should assess the necessity of collecting the data from company devices, evaluating whether the information is necessary to collect. In addition, since it remains to be seen if the exemption of human resource management will cover sensitive personal information, employers are advised to obtain the explicit and separate consent of the employees as well and not locate, monitor and track the employees after work, otherwise even though those devices are provided by the company and are regarded as company property, it may still constitute a violation of employees' personal privacy. To better comply with personal information protection requirements, employers need to clarify the method, scope, and restrictions of employees' use of the company's IT system and the equipment provided by the company in the internal rules and regulations (which must be through consultation with employees, adopted in a democratic manner and signed by the employees and confirmed to be bound by them; see Practice Note, Creating an Employee Handbook for Staff in China: Mandatory Democratic Consultation Process), emphasising the employer's IT system and the corresponding equipment provided be only used for work purposes, and warning employees against storing personal information that is not related to their performance of duties. For companies that own email servers outside of China, there are additional considerations for cross-border transfer which will be discussed below.
As to the non-company issued devices, employers usually should avoid checking such devices since they contain more employee personal information not related to work. There will be heightened data privacy risks if employers request access to employees' personal devices.
Sharing of Employee Personal Information
As mentioned, employers may need to share personal information of the candidates with a background-check service provider. Additionally, during the daily operation, employers may provide personal information of the employees to a third party, including but not limited to its affiliates or vendors (for payroll, tax declaration and other services). Such sharing is one of the processing activities under the 2021 PIPL, requiring specific actions taken by an employer:
- To notify employees of name and contact information of the third party, the purposes and methods of personal information processing by the third party, and categories of provided personal information to be processed. This may be completed through employee privacy policies or separate agreements executed with individual employees.
- To obtain explicit and separate consent for the sharing, especially when there is lack of clarity whether such sharing constitutes the exemption of human resource management or contract conclusion.
- To conduct a personal information protection impact assessment, ensuring that the third party meets the requirements for data security and takes sufficient technological or other actions to ensure the confidentiality and protection of employees' personal information shared by the employer.
- To reach agreement with the third party clearly stating the rights and obligations of both parties regarding the protection of the employees' personal information in a written agreement such as a service agreement with a payroll vendor.
Meanwhile, employers may review, adjust and update all the confidential agreements signed with its employees, making sure personal information of employees is included as confidential information and employees are forbidden from using, copying, transferring or providing the personal information of other employees to any third party. The confidentiality obligations of employees should explicitly extend after employment ends.
Merger, Acquisition, and Restructuring
In a business merger, acquisition or restructuring transaction, the disclosure or transfer of personal data pertaining to the employees is often involved. For instance, a purchaser (or prospective purchaser) may request the acquired target (that is, the employer) to disclose the personal information of its employees for the purpose of conducting due diligence. If the employer, as per the request of the purchasing party, provides such personal information to the purchaser, it falls within the sharing of employee personal information (see Sharing of Employee Personal Information). Consequently, the employer is advised to take the required measures listed such as expressly notifying the employees of the type of information that may be disclosed, the receiving subject and its using methods for such personal information and obtaining separate consent of employees to such disclosure before disclosing personal information to the purchaser. In the meantime, the employer must monitor the purchaser's use of employee personal information, making sure such information be used merely for the purposes relating to merger, acquisition or restructuring and preventing information from being transferred once again without the consent of employees.
Cross-Border Transfer Employee Personal Information
In practice, many multinational companies that have established Chinese entities may collect the personal information of domestic employees via the internet, which entails the regulatory requirements for outbound transfer of personal information.
Pursuant to Article 37 of the 2016 CSL, if the employer is regarded as one of the "critical information infrastructure operators" (CIIOs) (entities that would cause serious damage to national security, economy or and the public interest when suffering a security breach such as data leakage), it must store personal information collected and produced within the territory of China and conduct a security assessment before providing such information and data to overseas parties due to business needs in compliance with the requirement of data localisation.
The 2021 PIPL further requires processors who process a certain amount of personal information exceeding the volume threshold established by the Cyberspace Administration of China (CAC) to store within China the personal information produced or collected in China, unless they pass a security assessment organised by the CAC (Article 40). Other processors may transfer personal information abroad if they pass the CAC data security assessment, obtains certification by an authorised certification body, or enters into a standard contract with the overseas data recipient (Article 38).
Where the outbound transfer of personal information by CIIOs or other processors triggers the conditions under the Measures on Security Assessments of Cross-border Transfers of Data 2022 (2022 Security Assessments Measures), employers must apply to a local provincial CAC office to conduct a security assessment according to the requirements and procedures under the measures and relevant guidelines. (For more information, see Practice Note, Cross-Border Data Transfers: Data Export Security Assessment in China.) In other cases, employers may carry out the export of personal information by obtaining personal information protection certification, or entering into a standard contract. For detailed requirements of certification and standard contract routes, employers may refer to the Practicing Guidelines for Network Security Standards — Technical Specification for Certification of Personal Information Cross-border Processing Activities (V2.0) and the Measures for the Standard Contract for the Outbound Transfer of Personal Information 2023 respectively. (See also Practice Notes, Cross-Border Data Transfers: Personal Information Protection Certification in China and Cross-Border Data Transfers: Standard Contract for Personal Information Exports (China).)
In recent years, we have seen the CAC's intention to offer relief to certain companies in terms of the above requirements of cross-border data transfers.
On 28 September 2023, the CAC released the Draft Provisions on Regulating and Promoting Cross-Border Data Flows (Draft Provisions), which proposed "certain exemptions for cross-border data transfers.
On 22 March 2024, the long-awaited official version of the Draft Provisions, namely the Provisions on Promoting and Regulating Cross-Border Data Flows 2024 (2024 Cross-Border Data Flow Provisions) were eventually promulgated.
There are no substantial changes between the Draft Provisions and the 2024 Cross-Border Data Flow Provisions regarding the exemption conditions. Among these exemptions, the followings may have more implications on an employer' process of personal information in its daily operation:
- Outbound transfer of employee data necessary for the purpose of cross-border human resources management under the labour rules and policies and collective contracts.
- Outbound transfer of personal data necessary for the purpose of concluding and performing contracts, such as:
- cross-border shopping;
- cross-border delivery;
- cross-border remittance;
- cross-border payment;
- cross-border account opening;
- flight booking and hotel reservations;
- visa application; and
- examination services.
- Outbound transfer of no more than 100,000 individuals' personal information (excluding sensitive personal information and important data) per single calendar year by data processors other than CIIOs.
Though some ambiguities still remain and wait to be further clarified, such as the definitions of "necessity" as to what kind of employee data could be deemed as necessary for cross-border human resources management purpose or what kind of personal data could be deemed as necessary for the purpose of concluding and performing contracts, during the interim, employers are advised to develop or update their employment contract templates and company policies such as handbooks to ensure "the purpose of cross-border human resources management" is well defined for processing employee data and cross border transfer.
Employers who are certain that their data activities are exempted from the CAC assessment, standard contract filing or authentication requirements according to the 2024 Cross-Border Data Flow Provisions, are still legally obliged to:
- Inform employees of the transfer outside of the PRC, and obtain separate and explicit consent from employees before the personal information is shared, disclosed or transferred, though for exemption under human resource management, such requirement may be exempted or satisfied simultaneously with well drafted company policies.
- Carry out a personal information protection impact assessment in respect of their cross-border data transfer activities (see Practice Note, Chinese Standard Contract for PI Exports: How to Conduct a PIPIA?).
- Make appropriate records of the handling of such activities.
- Adopt necessary measures to ensure the data recipient's data processing activities.
Having said above, ordinary employers without meeting the exemption requirements under the 2024 Cross-Border Data Flow Provisions, need to take the following compliance actions as applicable:
- To conclude an agreement based on the standard contract form prescribed by the CAC with the overseas receiving party or to obtain personal information protection certification by an authorised certification body. This applies to non-CIIOs that, per single calendar year, provide either:
- no less than 100,000 but less than one million individuals' personal information (excluding sensitive personal information); or
- less than 10,000 individuals' sensitive personal information.
- To perform the CAC assessment. This applies to CIIOs that provide personal information or important data overseas, or non-CIIOs that provide either:
- important data overseas; or
- per single calendar year, no less than one million individuals' personal information (excluding sensitive personal information) or no less than 10,000 individuals' sensitive personal information.
Also, we have seen the CAC's continuous efforts to facilitate data flow in certain local regions. For instance, in response to the Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) jointly signed between the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administration Region (HKITIB), the CAC and the HKITIB jointly released the Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information Within the GBA 2023 (GBA Standard Contract Guideline), along with the Standard Contract for the Cross-boundary Flow of Personal Information Within the GBA (GBA Standard Contract) on 13 December 2023, with immediate effect.
The GBA Standard Contract is similar to the China Standard Contractual Clauses (China SCCs) overall with some China SCCs' clauses deleted or modified, reducing the compliance obligations of enterprises to certain extent. However, regarding the cross-border transfer of employee personal information between the Mainland cities within the GBA and Hong Kong, in accordance with the GBA Standard Contract Guideline, the personal information processors from Hong Kong and Guangdong should still file the standard contract for cross-border transfer of employees' personal information without any exemption but since the 2024 Cross-Border Data Flow Provisions have been in effect, employers now may be exempted from the SCC filing requirement for certain employee data based on the exemptions listed in the 2024 Cross-Border Data Flow Provisions.
Modification and Deletion of Employee Information
Employees are entitled to access their personal information collected by employers, and ask employers to modify the information when they find it inaccurate. Employees who find that employers collect or use the personal information in a way that violates the existing regulatory requirements and the binding agreements between them can require that information be deleted immediately. If an employer rejects an employee's request, the employee may file a lawsuit.
With regard to candidates that are not employed after the hiring process, the employer should evaluate the necessity of retaining their CV and other personal information. If it is necessary to keep the personal information of the candidates who are not employed, the employer must expressly inform the candidates of the type of personal information to be kept, the purpose and retention period of keeping such information, and obtain their explicit consent. The employer should be obliged to ensure the information security of the candidates and not illegally disclose the personal information to a third party. Otherwise, the employer must delete all the personal information of the candidates promptly.
Another aspect that requires the employer's attention is the personal information of departing employees. The 2012 Labour Contract Law mandates that the employer must keep the terminated employment contracts on file for at least two years (Article 50) but remains silent on how to deal with the information after two years. The 2021 PIPL limits the period in which an employer can store the personal information of employees to the shortest time needed to realise the purposes of use consented by its employees, unless otherwise specified by laws and regulations or agreed by the employees. In practice, when the employment relationship terminates, the employer is advised to redact or delete the personal information after the retention period agreed by the employees. Additionally, to ensure personal privacy is not violated, the employer should reach agreement with any third party to which (or whom) it discloses or shares its employees' personal information, making sure the third party will de-identify or delete that personal information after the underlying purpose of the share of data is fulfilled or gone. For instance, the service agreement with a vendor is terminated.
Violation Liabilities
Non-compliance with Chinese laws and regulations in relation to the collection, use, share, transfer and deletion of personal data is subject to civil liability, administrative sanctions, and criminal penalties.
Civil Liabilities
As protecting the personal information of employees is the employer's obligation indicated in the employment contract, the employer needs to assume the following civil liabilities under the 2020 Civil Code if it fails to provide data protection or violates the privacy of employees:
- Cessation of infringement.
- Compensation for loss.
- Payment of liquidated damages.
- Elimination of adverse impact and rehabilitation of reputation.
- Apologies.
(Article 179.)
Under the 2020 Civil Code, if the employer collects the employee's personal information illegally, leaks the personal information negligently or provides the personal information to others in violation of relevant laws and regulations and infringes on the legitimate civil rights and interests of the employee, the employer is the tortfeasor and will be subject to the tort liability and compensate the employee (Article 1165). For economic loss caused by data leakage, the amount of loss should be calculated as per the market price at the time of occurrence of the loss or calculated otherwise (Article 1184). If the infringements on the employee's personal rights and interests cause the individual to suffer from serious mental distress, the employee may claim compensation for mental distress from the employer (Article 1183).
The constituent elements of infringement of privacy are:
- The illegality of the infringement.
- The result of the damage.
- The direct causal nexus between the unlawful act and the result of the damage.
- The fault.
Article 69 of the 2021 PIPL provides the inverse of burden of proof. If companies cannot provide evidence showing that the violation of employee personal information is not caused by them by fault, employers are required to bear the liability based on their fault. The amount of liability for damage is limited to the loss incurred by an employee or the benefits obtained by the employer thereby.
Administrative Liabilities
Most enterprises in China are subject to the regulation of the 2016 CSL as network operators (see Legal Update, China passes Cybersecurity Law: New cybersecurity regime: overview). Article 40 of the 2016 CSL mandates that the employer should keep strictly confidential its employees' personal information and establish a security system to protect its employees' information. Article 42 stipulates that the employer should not divulge, tamper with or damage the personal information it has collected, and imposes a reporting requirement on the employer when personal information is leaked, lost, damaged or distorted. Apart from the reporting obligation, the employer's infringement of the 2016 CSL may entail different liabilities ranging from the followings:
- Rectification.
- Warnings.
- Temporary suspension of operation, suspension of business during the rectification.
- Closure of websites, apps or communication groups.
- Revocation of relevant operational permits or business licences.
- Imposition of fines.
- Confiscation of illegal gains.
- Freezing of assets.
- Detention.
(Articles 59-75)
The administrative liabilities under the 2021 PIPL basically resemble those under the 2016 CSL, with higher fines. An employer can be fined up to RMB50 million or not more than 5% of its turnover in the previous year. HR or other individual who are directly response for the processing of employee personal information will be fined up to RMB1 million and be forbidden from taking positions of directors, supervisors, senior executives or persons in charge of personal information protection of related enterprises during a certain period of time (undefined).
Any violation of the 2021 PIPL will be entered into the credit record of a company and be published.
Under the Public Security Administration Punishments Law 2012 (with effect from 1 January 2013), people who spread the privacy of any other person may be detained for not more than five days or be fined not more than RMB500; and for serious violations, the person should be detained for not less than five days but not more than ten days and may, in addition, be fined not more than RMB500 (Article 42(6)).
Criminal Liabilities
Article 253(I) of the Criminal Law of the PRC 2023 (2023 Criminal Law, with effect from 1 March 2024) renders an individual or entity that illegally sells, provides or purchases personal information and constitutes "serious circumstances" subject to criminal liabilities, introducing the following penalties for offences contravening data privacy laws such as illicit collection, sales or provision of personal information:
- Imprisonment or criminal detention. (For serious violations, the 2023 Criminal Law requires imprisonment or criminal detention of not more than three years, while for particularly serious violations, the criminal liabilities are three to seven years of imprisonment alongside a fine.)
- Imposition of fines.
The seriousness of the circumstances is the core standard to criminalise illegal provision and purchase of personal information. The 2017 Interpretation gives a concrete description of "serious circumstances" from five aspects:
- The amount of personal information involved.
- Illegal gains. Obtaining an illegal income of RMB5,000 or more derived from the illegal provision of personal information should be determined as a "serious circumstance."
- The usage of personal information. If the personal information is used for committing a crime, it should be deemed as a "serious circumstance."
- Subjective malignancy. An individual has subjective malignancy if the person knows or should have known that the other individual is going to commit a crime using the personal information.
- The subject of crime. A person who acquires, sells or provides personal information through illegitimate means notwithstanding having been given criminal punishment or been given any administrative punishment within two years for infringing on any citizen's personal information should be regarded as a "serious circumstance."
(Articles 5-6)
By virtue of the defining standards, theoretically, the criminal conviction threshold for infringement of personal information is relatively low. Taking the quantity of information as an example, for highly sensitive personal information such as the information on the whereabouts, communication contents, credit investigations and properties, illegal sale or purchase of more than 50 pieces of such information will get prosecuted.
Although Chinese laws have prescribed the preceding harsh sanctions for breaches of personal privacy, imposing significant compliance costs on companies, the enforcement of relevant regulations is quite scant where there is an employer's unintentional failure of protecting employees' personal information such as accidental leakage.