Legal Update on the New Requirements for Employers under the Personal Information Protection Law in China
On 20 August 2021, the Personal Information Protection Law of the People’s Republic of China (“PIPL”) was passed by the Standing Committee of the National People’s Congress, and will become effective on 1 November 2021. Comprising 8 chapters and 74 articles, PIPL lays down a clearer yet stricter regulatory framework for the protection of personal information. As the first comprehensive data protection legislation in China, PIPL will further strengthen China’s legislative efforts in protecting individuals’ data privacy rights.
Compared with the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong), PIPL has the following features:
- a broader definition of “personal information” which includes all kinds of information relating to an identifiable natural person as recorded electronically or in other forms but excludes anonymised information;
- stricter requirements in respect of obtaining an individual’s consent where in many cases the individual’s “specific consent” (????) is required;
- more detailed provisions on the processing of personal information, where processing includes the collection, storage, use, transfer, disclosure, deletion, etc., of an individual’s personal information; and
- more severe penalties.
From the employment perspective, it is imperative for employers in China to understand the impact of PIPL on the human resources management and take necessary actions to fully comply with the new legislative requirements.
Part 1 Major aspects of PIPL’s impact on the human resources management
1. An employer must have a valid ground under PIPL for processing an employee’s personal information.
To process an employee’s personal information, an employer must have a valid ground under PIPL and the common grounds include:-
- the employee has given prior consent; or
- the processing of the personal information is necessary for human resources management in accordance with the internal rules and regulations or collective contracts.
2. An employee’s personal information can only be processed for a proper purpose and in a reasonable manner.
Even if an employee has duly consented, an employer still must ensure that the processing of the information is for a proper purpose and in a reasonable manner. For example, the collection of an employee’s information about his/her marital status or pregnancy is irrelevant to the establishment of employment relationship and lacks a proper purpose, which in practice may be regarded as violating PIPL.
3. An employer must ensure the security of an employee’s personal information.
Under PIPL, an employer has the duty to establish a system to ensure the security of the employees’ personal information. Depending on the purposes and manner of processing and the nature of the information, the employer needs to take measures including developing internal rules and procedures for processing the information, managing the information based on their different nature, adopting encryption and de-identification measures, duly authorising the data processing staff, providing regular training, and making emergency plans. In case future disputes arise, an employer may be liable if he/she cannot prove the implementation of such security measures.
4. An employer has the duty to ensure an employee’s rights in respect of his/her personal information.
PIPL has provided a series of rights to individuals in respect of their personal information, including right to information, decision, correction, and copying. The employer has the duty to ensure the employee’s access to these rights. For example, if surveillance cameras are installed at the workplace, the employees should be informed.
Part 2 Key requirements for processing personal information in human resources management
1. The primary principle is to obtain informed consent.
An employer must duly inform an employee before processing his/her personal information. In particular, the employer must inform the employee in a clear and comprehensible manner, and obtain the employee’s clear and voluntary consent. Should there be material change to the purpose or manner of processing or the type of processed information, the employer would need to obtain the employee’s consent again.
2. For processing sensitive personal information, specific consent is required.
“Sensitive personal information” refers to such personal information that the disclosure or unlawful use of which could endanger the individual’s dignity, personal safety or property, including biometric data, religion, medical data, finances and location, and all personal information of minors under the age of 14. It is only when there is a sufficiently necessary and specific purpose that an employer can process an employee’s sensitive personal information whilst the employer must also take strict protective measures. When processing such sensitive personal information, the employer must obtain the employee’s specific consent and inform him/her of the necessity of processing the information and the potential impact on him/her.
3. Personal information cannot be stored in excess of a necessary period.
An employer cannot retain an employee’s personal information in excess of a necessary period and the storage of which must comply with the relevant regulations. An employer should establish an internal mechanism to check and delete such information on a regular basis (e.g., check regularly and delete timely the personal information of previous employees).
4. Third-party information processor must be duly authorised and supervised.
If an employer engages a third party (e.g., human resources service providers) to process an employee’s personal information, the employer should carry out risk assessment in advance. The employer has the duty to supervise the third party’s processing of such information and ensure that the processing will not exceed the scope of authorisation.
5. Joint processing of personal information can result in joint and several liability.
If an employer processes an employee’s personal information jointly with a third party, the employer should agree in writing with the third party the requirements for secure processing of the information, and the respective responsibilities of the employer and the third party. Meanwhile, the employer should inform the employee of the fact of joint processing.
6. Specific consent is required for the transfer or disclosure of the personal information.
If an employer needs to transfer or disclose to a third party an employee’s personal information, the employer must inform him/her and obtain his/her specific consent.
7. Specific consent is required for publicising the personal information.
If an employer needs to publicise an employee’s personal information, the employer must obtain the employee’s specific consent.
8. An employee is entitled to withdraw the consent.
An employee is entitled to withdraw the consent previously given to the employer for processing his/her personal information, though the withdrawal would not affect the validity of the processing activities previously conducted.
Part 3 Liabilities for violating PIPL
1. Administrative liability
- Employer
- General violation. Order of correction, warning, forfeiture of proceeds from unlawful activities, and/or order of suspension or termination of the application that unlawfully processes personal information; and negative record in the credit information publicity system
- Refusal of correction. A fine up to RMB 1,000,000, apart from the above penalty
- With aggravating circumstances. Order of correction, forfeiture of proceeds from unlawful activities, a fine up to RMB 50,000,000 or 5% of the preceding year’s revenue, suspension or termination of the relevant operations, and/or suspension of business licence or other licences
- Individuals directly in charge or responsible
- A fine ranging from RMB 10,000 to RMB 100,000; and
in cases with aggravating circumstances, a fine ranging from RMB 100,000 to RMB 1,000,000, and/or prohibition from being a director, supervisor, senior manager, or person in charge of personal information protection in the relevant companies for a certain period
- A fine ranging from RMB 10,000 to RMB 100,000; and
2. Civil liability
- Damages
- The individual’s loss or the information processor’s profits caused by or resulting from the unlawful activities
- In cases where the above loss or profits cannot be ascertained, the court has a discretion to decide the amount of damages, taking into account all circumstances.
The burden is on the information processor to prove that he/she has discharged the duty of protecting the personal information, failing of which the processor will be liable to pay for the damages.
3. Criminal liability
- Unlawful acquisition or sale of personal information.
- It may amount to the criminal offence of infringing on citizens’ personal information.
- It may amount to the criminal offence of infringing on citizens’ personal information.
- Other associated activities.
- Other relevant criminal offences include unlawfully obtaining data from a computer information system, refusing to fulfill the obligations of cybersecurity management, etc.
Part 4 Measures for employers to take
In light of the stricter regulatory requirements under PIPL, an employer should:-
1. Review thoroughly the current internal management of the employees’ personal information
The issues for review, among the others, include:-
- whether the relevant persons in charge are aware of the new regulatory requirements under PIPL;
- whether there has been an adequate system established for protecting the employees’ personal information;
- whether the internal rules for protecting personal information have been effectively implemented; and
- whether there has been proper supervision over the third-party information processors.
2. Assess the risks of cross-border data transfer
PIPL raises additional requirements for cross-border transfer of personal information, which, among the others, includes a separate risk assessment process with the cybersecurity authorities.
3. Establish an effective system for protecting employees’ personal information
An employer should establish an effective system for protecting employees’ personal information, supervising the processing of such information and handling complaints from employees, which should all be evidenced in writing in internal rules and regulations.
4. Review and revise the relevant legal documents
An employer should review and revise the employment contracts, employees’ handbook, personal information collection statement, internal information protection policies, and the relevant guidance, so as to strengthen the internal compliance with data protection laws.
Link to article