3 Key Actions for Employers Ahead of Effective Date of the Personal Information Protection Law

The Personal Information Protection Law (PIPL) passed by the Standing Committee of the National People’s Congress will take effect on 1 November 2021. Though there were piecemeal provisions touching on the general protection of personal information such as the 2016 Cyber Security Law and the 2020 Civil Code, the PIPL marks the first comprehensive legal regime that will be in place regulating the protection of personal information in China. As employee personal information will also be regulated by the new law, we set out below some key points that employers should bear in mind for the law.

• Definition of personal information and sensitive personal information
  
  The PIPL defines “personal information” as any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, excluding anonymised information (Article 4). By anonymisation, it means the personal information is processed to make it impossible to identify specific natural persons and impossible to restore. In addition, the PIPL emphasises the particular protection towards “sensitive personal information”. Sensitive personal information is defined as personal information of which the leakage or illegal use could easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, with inexhaustive examples listed such as information on (a) biometric identification, (b) religious beliefs, (c) specific identity, (d) medical health, (e) financial accounts, (f) personal whereabouts, and (g) minors aged under 14. A company may encounter different kinds of the above mentioned personal information during its daily operation, and employee personal information is part of that. For instance, an employee’s bank account information collected by an employer for payroll would be considered as sensitive personal information.
  
  
• Extra-territorial Effect
  
  The PIPL is intended to have extra-territorial effect (Article 3). It also applies to the processing of personal information of domestic natural person outside of China in the following conditions:
  
  
  1. for the purpose of providing products or services to natural persons located within China;
     
     
  2. analysing or assessing the conduct of natural persons located within China; or
     
     
  3. under any other circumstance as provided by any law or administrative regulation.
     
     
  If foreign entities process above-mentioned personal information, either a specific institution should be set up or a representative should be designated within China to handle relevant affairs of personal information protection (Article 53).
  
  
• Employee Consent
  
  Consent remains a main basis on which an employer may collect and process employees’ personal data. Before collecting and using the personal information of employees, employers should explicitly notify employees of certain items, such as (a) name and contact information of the data controller, (b) the purposes and methods of processing of personal information, (c) categories and retention periods of personal information to be processed, and (d) methods and procedures for employees to exercise their rights enshrined in the PIPL. If sensitive personal information is involved, employers are required to notify employees of the necessity of the processing of sensitive personal information and any impacts on employees’ rights and interests as well.
  
  One key point to note is that it would be insufficient for employers just to have employees' consent to the processing of personal information once and for all. In the past, the common practice of many employers is to obtain the consent and authorisation of the employees once in the process of hiring and induction, such as obtaining the candidates' consent to the collecting, storing, processing, transferring, verifying, and even further updating the information related to the candidates' position within the reasonable limits prescribed by laws through application forms which need to be filled out by candidates, or adding clauses of "authorisation of data use" in employment contracts to obtain the employees' written consent. Nevertheless, the PIPL mandates that a separate notice should be obtained under certain circumstances:
  
  
  1. when providing employee personal information to a third party;
     
     
  2. when disclosing employee personal information;
     
     
  3. when processing sensitive personal information; or
     
     
  4. when the personal information will be transferred to locations outside the PRC.
     
     
  However, it remains unclear what “separate” consent means in practice, and employers should await further guidance on this. It would seem logical that separate consent is different from general consent or bundled consent, but it remains to be seen how separate it needs to be.
  
  
• Additional Grounds to Process Employee Data
  
  The PIPL includes additional legal grounds for processing personal information in addition to the general “consent-based” approach. Employers who obtain employees’ consent in order to collect any employee personal information may face the situation where an employee withdraws his or her consent, leaving the employer with no basis to process this employee’s personal information. This issue might no longer be a concern now with alternate legal bases added, but certain issues need to be clarified and they only apply under certain circumstances as follow:
  
  
  1. the processing is necessary for the conclusion or performance of a contract or necessary for human resources management according to lawfully formulated labour rules and regulations and lawfully concluded collective contracts;
     
     
  2. the processing is necessary to fulfill statutory functions or statutory obligations;
     
     
  3. the processing is necessary to respond to public health emergencies or to protect the life, health or property safety of natural persons under emergency circumstances; or
     
     
  4. the processing of public personal information that has been disclosed voluntarily by employees themselves or disclosed lawfully otherwise within a reasonable scope in accordance with the PIPL.
     
     
  Among the four exemptions, the first one is directly related to employee data. However it will be prudent to still obtain consent as an alternative basis to process employee data, especially sensitive personal data, as the precise scope of these additional bases to process data are yet to be clarified. Employers should consider the necessity of employee personal information to be processed without consent, either for conclusion or performance of a labour contract or human resources management, and ensure its labour rules and regulations or collective contracts enable it to process such data.
  
  Employers may argue that processing of employee personal information for social insurance and housing fund contributions fall under not only the first exemption, but also the second exemption as it is statutory obligation for employers to make contributions.
  
  Lacking detailed explanations, it is also arguable and difficult to predict whether processing of employee health data linked to COVID-19 belongs to the third exemption listed above or whether employers can use public personal information on employees’ social media such as Weibo or LinkedIn without consent.
  
  
• Key Principle For Processing Employee Data
  
  The principles of clear and reasonable purpose, limitation and minimisation, openness and transparency, and accuracy and accountability, which appeared in other rules or guidelines, are codified in the PIPL.
• Strengthened Liabilities
  
  The PIPL incorporates higher fines than previous data privacy laws. An employer can be fined up to RMB 50 million or not more than 5% of its turnover in the previous year. HR or other individual who are directly responsible for the processing of employee personal information will be fined up to RMB 1 million and be forbidden from taking positions of directors, supervisors, senior executives or persons in charge of personal information protection of related enterprises during a certain period of time (undefined).
  
  Any violation of the PIPL will be entered into the credit record of a company and be published. Moreover, the PIPL incorporates a provision stating the burden of proof shall be inversed.

3 Key Actions for Employers

Given the above developments, employers are advised to take the following actions ahead of the effective date of the PIPL:

1. Update employee data consent to ensure some kind of separate consent is provided to comply with the PIPL.
   
   
2. Update employee data policies to define and ensure the employer can rely upon the human resource management ground to process employee data in case consent is said to be insufficient in a particular situation.
   
   
3. Ensure relevant staff is familiar with the requirements of PIPL in terms of the key principles of collecting and processing data and specific issues such as sensitive personal data and overseas data transfer. We expect there will be further implementing rules or interpretations that will be released, so keep abreast of developments so as to implement timely updates on the organisation’s employee data processing practices.