Navigating Through Uncertainty: New Challenges of Conducting Cross-border Investigations under China’s Personal Information Protection Law

China’s Personal Information Protection Law (PIPL) came into effect on 1 November 2021. With an array of obligations and liabilities imposed, the PIPL's omnibus restrictions on the collection, use, and transfer of personal information will complicate the cross-border investigations for multinational companies doing business in China, adding legal and regulatory challenges for businesses that are striving to comply with both China and foreign privacy laws.

The PIPL has extra-territorial effect and applies to data processing activities within China and processing Chinese residents’ data outside of China. The fact that a business has no subsidiary or presence in China does not necessarily exempt it from the jurisdiction of the law.

Penalties on violating the PIPL can be severe. Viewed as the Chinese counterpart to the EU General Data Protection Regulation (GDPR), the PIPL imposes administrative fines up to 5% of the company’s annual revenue of the previous year or up to CNY 50 million (USD7.8 million) for the most serious violations.

Notified consent remains the primary basis for processing data that contains personal information for an investigation. In addition, “separate consent” must be obtained if the data collected contains sensitive personal information such as financial accounts, medical health information, geographic location, and tracking data, or the data containing personal information needs to be transferred outside of the mainland China. The PIPL does not define “separate consent” or what form of “separate consent” constitutes valid consent. If the personal information is to be transferred across border, companies should also apply for personal information protection certification or to adopt contract template of the Cyberspace Administration of China (CAC) for data transfer.

Companies conducting internal investigations should take a risk-based approach when handling evidence that contains personal information of its China employees, customers, suppliers or other third-parties.

Simply relying on the “waivers” of obtaining notified consent from the data subject might be insufficient because it remains unclear whether conducting an internal investigation would constitute carrying out human resources management or performing a legal responsibility or obligation under the PIPL. A waiver might not be valid if the data contains personal information disclosed by the investigation subject on a “quasi-social media platform” such as WeChat Moment because it remains unclear whether such disclosure would be deemed as being disclosed to the public.

Once an investigation begins, obtaining separate and explicit consent from those who are under investigation becomes challenging. The data subject could withdraw their consent at any time, which might jeopardize the investigation. If the investigation turns out to go beyond its internal nature, provision of any personal information to foreign judiciary or law enforcement agency, such as the DOJ or SEC of the United States, requires approval of a designated Chinese authority.

Before clearer guidance is issued, companies conducting cross-border investigations should retain data processors located within the mainland China to collect, process and review employee’s emails and financial transaction records stored in China. When in doubt, companies should avoid transferring data containing personal information outside of China through proper redaction and anonymization procedures.