Employers face a host of new obligations regarding employee personal information following the approval of the Personal Information Protection Law (“PIPL”) on August 20, 2021. The law, which was approved by the Standing Committee of the National People’s Congress, takes effect on November 1, 2021.
While the PIPL contains many provisions dealing with consumers and commercial relationships, this Client Alert will focus only on the provisions relating to employer obligations.
The PIPL is the first comprehensive law on the protection of personal information in China. The law covers issues related to the entire life cycle of personal information, from its creation to its deletion and is similar, but not identical, to the European Union’s General Data Protection Regulation. On the one hand, the PIPL law will provide stronger legal protection of employee personal information by significantly improving legal requirements and procedures for employers to follow. On the other hand, the PIPL will likely prompt increased employee awareness of their rights and therefore encourage them to take action to defend these rights.
Employers can expect further clarification on the law in the upcoming months. The PIPL explicitly calls on central government authorities to enact further regulations. Moreover, local authorities may also be expected to issue their own regulations and interpretations.
The following are key points in the PIPL affecting employers:
1.General principles. Among the general principles that employers should follow when processing employee personal information are good faith, necessity, transparency, having a clear and reasonable purpose, limiting the processing to the minimum scope needed to achieve the processing purpose, and ensuring the accuracy of information processed. The PIPL will be interpreted in accordance with these general principles.
2.Definition of personal data. The PIPL adopts a relatively broad definition of “Personal information”, defining it as all kinds of information, recorded electronically or by other means, related to identified or identifiable natural persons.
“Sensitive personal information” means personal information that, once leaked or illegally used, may easily (i) result in harm to an individual’s dignity, or (ii) threaten the safety of the individual’s person or his/her property, including information relating to biometrics, religious beliefs, race or ethnic groups, medical and health data, financial data, and location data (as well as all personal information of minors under the age of 14).
3.Scope. In the context of employment, the processing of personal information includes the collection, use, storage, transfer, disclosure, and deletion of an individual’s personal data before, during, and after employment.
4.Legal bases for processing. Employers must have at least one legal ground set forth in the PIPL in order to process employee personal information. The relevant grounds for employer processing of employee personal information include:
(1) Employee consent
(2) Where necessary to conclude or fulfil a contract in which the employee is an interested party (e.g., an employment contract)
(3) Where necessary to conduct human resource management in accordance with validly adopted company rules or collective contracts
(4) Where necessary to fulfill a legal obligation (e.g., employee social insurance registration)
5.Employee consent. Specific provisions relating to employee consent include:
(1) Consent must be obtained again if there is a change in the processing purpose, processing method, or types of personal information to be processed.
(2)An employer must provide a convenient way for individuals to withdraw consent for processing of personal information. A withdrawal of consent, however, does not affect the effectiveness of personal information that had been processed before the withdrawal of consent.
(3)An employer must delete an individual’s personal data upon the individual’s request.
(4)“Separate consent” is required for:
processing sensitive personal information
transfer of personal information to third parties, which would include domestic affiliates
make public personal information
overseas transfer of personal information
6.Policies and Procedures. Employers are required to have policies and procedures related to:
(1) the processing of personal information, including notification of employees on processing purpose, processing method, types of personal information collected, and retention period
(2) how employees may exercise their statutory rights regarding the processing of their personal information, including the rights to access, copy, correct, and delete their personal information, as well as request data portability and request an explanation of the employer’s personal information processing policies
(3) internal management systems and operating procedures for the protection of personal information
(4) contingency plans for personal information security incidents
Before collecting personal information, employers must first inform candidates and employees of the employer’s rules for processing personal information, regardless of the employer’s legal basis for the processing.
In order to process sensitive personal information, an employer must have a specific and necessary purpose to process the information and must also take strict protective measures.
7.Security/Storage. Employers must take measures to ensure the security of employee personal information. These measures include stricter security measures depending upon the type of personal information, adoption of encryption and de-identification measures; designation of the internal staff that has authority to process personal information, holding regular security training for such internal staff, and developing and implementing emergency plans to handle personal information security incidents. Employers must also timely take remedial measures and fulfill notification obligations in the event of personal information security incidents.
The PIPL provides that localization of personal information is required only for critical information processors and personal information processors who process personal information up to an amount specified by regulators. However, the requirement for
consent for overseas transfer of personal information means that employers in China will likely need to store locally employee personal information.
8.Third party processing. When transferring personal information to third parties for processing, employers must comply with certain legal requirements, including entering into agreements with joint processors (e.g., recruiters), entrustment processors (e.g., payroll agents), or other third parties (e.g., external auditors and legal counsel).
9.Cross border transmission. In addition to obtaining the consent of an employee, employers must satisfy one of the following to transfer personal information outside of Chinese mainland:
(1) Enters into a standard contract with the overseas information receiver. The terms of such standard contract will be made available to the public by the PRC authorities.
(2) Completes a security assessment organized by the PRC authority, or
(3) Undergoes personal information protection certification conducted by a specialized institution according to relevant rules of the PRC authority.
Employers must complete a personal information protection impact assessment before transferring personal information abroad. Employers must also adopt “necessary measures” to ensure that the personal information processing activities of the overseas recipient reach the PIPL’s requirements. These measures may include the obligation to supervise and monitor the foreign processing activities.
10.Prior Impact Assessments/Recordkeeping/Audits. An employer must conduct an prior assessment of the impact of the protection measures of its personal information processing activities and keep records for certain types of processing, including the processing of sensitive personal information, entrustment processing, and cross border transfer of personal information.
After processing of personal information is underway, an employer must regularly conduct its own or engage professional institutions to audit the employer’s processing of employee personal information. In certain circumstances, the regulatory authority may require an employer to engage a professional institution to audit its personal information processing activities.
11.Liabilities. Employers may face liability arising not only from the employer’s own violation of the PIPL when processing employee personal information, but also arising from employee violations (e.g., infringing the personal information rights of colleagues, customers, or business partners). This liability could include administrative, civil, and criminal liability.
The administrative liability under the PIPL is a "double penalty system", which includes penalties for both employers and for the individuals who may be held responsible for a violation (e.g., managers and other persons directly responsible). Penalties for individuals include not only fines, but being barred from serving as a director, supervisor, senior manager or person in charge of personal information protection in “related enterprises” for a certain period of time. For serious violations of the PIPL, employers could face fines of up to RMB 50 million or up to 5 percent of the previous year's turnover.
Under the PIPL, an employee would have the right to file a lawsuit against an employer if (1) the employer’s processing activities violates the PIPL in regards to the personal information of the employee; or (2) the employer refuses to act upon an employee request in respect of an employee’s exercise of rights related to personal information.