Employers in China Should Prepare for Compliance Expectations Under Draft PIPL
The purpose and necessity of legislation for personal information protection is simple and straightforward, that is, it is our right as individuals to have our personal information and privacy protected, especially given the speedily developing electronic world with widely used networks. Yet, the laws protecting personal information are not simple for us to digest; you may agree with the complexity if you have reviewed or studied, for example, the General Data Protection Regulation (“GDPR”) of the European Union.
Further complicating matters is the fact that personal information protection requires, first, legislation by the government, to be followed by a set of regulatory mechanisms as well as the establishment and adoption of practical and useful technical measures by personal information processors. Moreover, these mechanisms and technical measures cannot be “one-off” actions; instead, they need to be maintained and managed continuously for the long run, so as to observe the law’s requirements. For example, prompt reaction if there comes any request from individuals to review, rectify, or delete their personal data; timely action if the storage term expires; etc.
The draft of the PRC Personal Information Protection Law was released on October 21, 2020 (“PIPL Draft”) to seek comments from the public. Though the length of the PIPL Draft is much shorter than the GDPR (the English version of the PIPL Draft takes around 11 pages whereas the GDPR takes 88 pages), the articles of the PIPL Draft cover most of the core contents as under the GDPR.
To simplify matters, this article aims to help you understand the core requirements under the PIPL Draft from the perspective of an employer in the form of a Q&A (assuming that “we” are a corporate employer with managing employees).
Q: Whose information and what information do we process?
A: We process our employees’ personal information. Personal information (“PI”), which is referred to as “personal identifiable information” (PII) in the U.S or “personal data” in EU, means various kinds of information related to any identified or identifiable natural persons recorded by electronic or other means, for example, our employee’s full name, date of birth, gender, address, resume, fingerprint, ID number, etc. As exception, the information processed anonymously does not count as PI.
(Relevant Article in the PIPL Draft: Article 4)
Q: What does “process”/ “processing” mean under the context of PI protection?
A: Processing consists of types of behavior in relation to PI, including collection, storage, use, modification, transmission, provision and publication etc. of PI.
For example, when we ask our newly onboarded employees to fill in the onboarding form with their names, phone number, contact address, emergency contact person etc., we are “collecting” their PI. When we input the employees’ information onto our HR systems for efficient administration, we are “storing” their PI. When we provide their information to an insurance company for the purpose to purchase group insurance for our employees, we are “using” and “transmitting” their PI. From collection to deletion, this can be viewed as a “life cycle” of the PI. All these steps in the life cycle are collectively called “processing” of PI.
(Relevant Article in the PIPL Draft: Article 4)
Q: Are we governed by the PIPL if we are a company registered outside of China?
A: It depends on whether we process PI of individuals who are in the territory of China and for what purpose.
If we are processing PI of individuals who are in the territory of China for either of the purposes as follows, the PIPL shall be applicable to us even if we are registered and physically outside China: i) to provide products or services to individuals inside China; and ii) to analyze and evaluate the activities of individuals inside China. This stipulation is similar to the “long-arm jurisdiction” under GDPR.
Imagine we are a company registered in Singapore with only a representative office in China, we hire Chinese employees in China indirectly via a dispatch agency, and we use finger-print punch to supervise the employees’ attendance – such activities literally match the description “analyze and evaluate the activities of individuals inside China” in the PIPL Draft. In such a case, we (the Singapore company) will be governed by the PIPL, unless there comes up further interpretation of the law provision in contrast.
(Relevant Article in the PIPL Draft: Article 3)
Q: What is our role as the employer?
A: Under PIPL Draft, we are the “processor”, because we, as the employer, are the one to independently determine the purpose and method of processing etc. of our employees’ PI.
According to the PIPL Draft, PI processor refers to any organization or individual that independently determines the purpose and method of processing and other PI processing matters. This concept is similar as the “data controller” under GDPR.
(Relevant Article in the PIPL Draft: Article 69)
Q: What are our main obligations and responsibilities?
A: With the role as PI processor, we shall be responsible for our behaviors to PI. Therefore, we must take necessary measures to ensure the security of PI throughout its “life cycle” to minimize our risk.
To be specific, our main obligations may be roughly divided into two aspects, one is from the organizational aspect and the other is from the technical aspect; some obligations may require both organizational and technical supports simultaneously (as illustrated below):
(Relevant Articles in the PIPL Draft: Article 9, Articles 50 to 55)
Q: What should we do when we collect and use the employees’ PI?
A: We briefly explain the respective grounds for collecting and use of employee’s personal information.
Prior to collection or any other step of processing, we must have a legal ground to do so. Legal ground mainly refers to any of the following:
- The individual agrees.
(For example, the employee agrees to provide us his hometown address though it is not his current frequent address.)
- It is necessary for the conclusion or performance of a contract with the individual.
(For example, for performance of the labor contract between the employee and us, they must provide their bank account number so that we can pay them their salary.)
- It is necessary for the performance of statutory duties/obligations.
(For example, our employee must provide us their ID number as we have the statutory duty to withhold and pay individual income tax for them as expected by the tax bureau.)
- It is necessary for coping with emergencies or for the protection of the life, health, and property safety of a natural person.
(For example, in case an employee suffers injury and falls in faint, when we send them to the hospital, we must provide their PI to the hospital without their consent.)
- To carry out activities, such as news reporting and supervision by public opinions for the public interest, within a reasonable scope.
(For example, our employee in charge of marketing gave a presentation in a public event, we later on publish this news with their picture at the event on our website.)
Minimum information for the purpose
When collecting PI, we shall make sure the PI we collect shall be limited to the minimum scope for achieving the purpose with applicable legal ground. We are not supposed to collect PI that is unnecessary or beyond the purpose. For example, when an employee is onboarded, their full name, ID number, contact details, bank account number, emergency contact person, and basic physical examination report could be sufficient for the purpose of concluding and performing the labor contract; it is unnecessary to collect irrelevant information, such as his family members’ names, unless we have additional purpose and legal ground to collect those PI.
In addition to having a legal ground, we shall also clearly inform our employees regarding the purpose, the type of PI to be processed, the processing manner, storage term, and other aspects of the processing of their PI. Such informing before processing is a must with exception that there is confidentiality obligation or emergency circumstances. To comply with this stipulation, we may want to include such details of informing into the labor contract from an overall perspective, to avoid future informing from time to time (unless specific informing is mandatorily required by law).
(Relevant Articles in the PIPL Draft: Article 13 to 19)
Q: What should we do to the PI in our possession?
A: Keep in mind the following considerations:
Minimum storage term
The storage term of the PI must be as minimum as necessary for achieving the purpose.
Reaction to our employees’ request
The PIPL Draft grants the individuals rights with respect to their PI, that is, rights to know about the processing, rights to consent or reject the processing; rights to review, to copy their PI; rights to require rectification, supplement to their inaccurate PI; rights to require deletion of their PI; rights to request explanation regarding the processing rules; etc. As the PI processor, we should establish and maintain the mechanism for accepting our employees’ requests and exercise prompt reaction to their requests.
(Relevant Articles in the PIPL Draft: Article 20, Articles 44 to 49)
Q: What should we do when we must send our employees’ PI to our HQ outside of China?
A: It should at least meet any of the following conditions:
- The cross-border provision of PI has passed the security assessment organized by the State cyberspace administration.
- The protection of PI has been certified by a professional institution in accordance with the rules of the State cyberspace administration.
- A contract with the overseas recipient has been concluded, which specifies the rights and obligations of both parties; and the overseas recipient’s processing of PI shall be supervised to ensure that its processing activities meet the standards of protection of PI as stipulated in the PIPL Draft.
- The cross-border provision of PI has satisfied other conditions prescribed by laws, administrative regulations or the State cyberspace administration.
In addition, we shall inform our employee, whose PI is being provided overseas, information regarding identity of the overseas recipient, contact details, purpose and method of processing, type of PI and the way for the individual to exercise his rights, and shall obtain his specific consent.
(Relevant Articles in the PIPL Draft: Article 38)
Q: What should we do when we no longer need the PI in our possession?
A: In theory, when the agreed storage period has expired or the purpose of processing the PI has been achieved, we shall proactively delete the PI. However, as we can foresee and based on experience, we may have to retain some of the PI of our employees for some time even after their labor relationship with us are ended, for multiple reasons. For example, to issue or re-issue separation certificate for the former employee, to provide background check per former employee’s new employer’s request, to prepare for potential labor dispute, etc. For all this possible post-termination storage of PI, we may want to specify them as exceptions in the relevant PI documents; for example, the notice where we inform our employees regarding our processing of their PI in the very beginning, ideally with their consent.
(Relevant Articles in the PIPL Draft: Article 47)
It may be easier for us to understand the law from the perspective of an employer, as most companies need to manage staff before managing relationships and transactions with customers and/or suppliers. Once we have understood the law requirements for employers, then we can easily apply the understanding and rationale when dealing with individual information of our customers and/or suppliers and/or other cooperative partners.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
We also maintain offices assisting foreign investors in Vietnam, Indonesia, Singapore, The Philippines, Malaysia, Thailand, United States, and Italy, in addition to our practices in India and Russia and our trade research facilities along the Belt & Road Initiative.