Impact of the new Personal Information Protection Law in the workplace

On 20 August 2021, the Standing Committee of China’s National People’s Congress released the official version of the Personal Information Protection Law (hereinafter “PIPL”), which will come into force on November 1, 2021.
This article highlights the key requirements for employers and possible necessary upgrades of current measures in accordance with these requirements, particularly with regards to human resource management and data transfer.

1. Personal information categories under the PIPL

The PIPL provides a relatively precise definition of “personal information”. Under Article 4 of the PIPL, “personal information” is defined as information related to individuals recorded electronically or by other means that has been used or can be used to identify such individuals, excluding anonymized information.

In addition, Article 28 of the PIPL defines “sensitive personal information” as personal information that, once released, is likely to result in damage to the personal dignity, physical wellbeing or any personal property, such as biometric identification, religious belief, special identity, medical health, financial account, physical location tracking and whereabouts, and personal information of minors under the age of 14.

2. New legal basis for personal information processing

Unlike the draft PIPL, the official version supplements the legal basis for processing personal information where individual consent is not a mandatory pre-condition. Among others, employers are entitled to collect and process personal information for conducting human resource management under the labour rules and regulations on a necessary basis, without obtaining employees’ consent.

The PIPL does not give precise details regarding what constitutes “a necessary basis” for human resource management personal information processing. In practice, the employer may generally seek to collect various personal information from its employees for labour management purposes, including name, gender, ethnicity, date and place of birth, national ID (or passport for non-Chinese citizens) number, address, email address, general health conditions, educational background, work experience, emergency contacts, and immediate family members.

3. Employer’s obligations in processing personal information

According to the PIPL, an employee shall give consent in a clear and voluntary declaration of intent under the premise of full knowledge. If the purpose or method of processing personal information has changed, the employer must seek such an employee’s consent again. For personal information that must be processed with consent, the employee has the right to withdraw such consent. However, the data processing conducted before the employee withdraws their consent will not be affected.

Though the basis of human resource management allows the employer to process personal information without consent, it does not provide a shortcut for the employer. Considering the complexity of processing personal information, employers are burdened with relatively heavy responsibilities for personal information protection.

Private notice is widely adopted by many companies to obtain consent from information subjects to collect and process their personal information. Private notice remains an effective method in the era of PIPL, although amendments should be made in accordance with the law.

Moreover, according to Article 28 and 29 of the PIPL, an employer must obtain separate consent from the subject prior to processing sensitive personal information, which, notably in the employment context, may include financial information for payroll arrangement, biometric information collected by the system for entry onto premises or access to IT equipment, location tracking on company issued devices, health information related to medical insurance or periodic health checks. Although the PIPL does not provide a clear form of “separate consent”, a private notice remains an effective tool for employers. For the purposes of third party data transfer, the employer is obliged to provide the name and contact information of the third party, as well as the purposes of the transfer to the data subject.

4. Transfer personal information to the third-party information processor

The employer may need to transfer the data subject’s personal information to third parties for the achievement of various human resources management purposes. For example, a bank may be involved as a third party data receiver for payroll arrangement; a health facility may receive sensitive personal information from a company to provide physical examinations to its employees; or a human resources service agency may require packaged personal information to offer services.

Under the PIPL, an employer must obtain separate consent from an employee before transferring personal information. Separate consent is not defined, but the language in the PIPL suggests that express consent for each specific purpose is required to provide personal information to a third-party personal information processor. In addition, the employer is obliged to provide the name and contact information of the third party, as well as the purposes of the transfer to the data subject.

5. Cross-Border Transfer of Employees’ Personal Information

The PIPL also requires the employer to obtain separate consent from the employee when providing personal information to overseas parties (e.g., an overseas parent company and its affiliates and global investigation agencies). For international companies, cross-border data transfer consists of many aspects of everyday operating practices; for example, internal audits and investigations, global mobility and employment transfers, sharing of global databases, M&A transactions, and outsourcing.

Similarly to transferring the data to a third party, when transferring documents and files with personal information of a Chinese employee to overseas parties, the employer should inform the employee of the name of the overseas recipient, contact information, purpose and method of processing, type of personal information to be transferred and procedures for the employee to exercise their rights stipulated under the PIPL against the overseas recipient.

The requirements for cross-border transfers of employees’ personal information will significantly impact daily human resources operations for international companies. For instance, it is common for an international company to provide global insurance to its employees worldwide; the personal information of a Chinese employee may therefore be provided to a non-Chinese insurance facility. Employers need to consider new policies and take the necessary steps (obtaining prior separate consent from employees, executing cross-border data transfer agreements) to ensure compliance with the cross-border transfer of personal information requirements under the PIPL.

Additionally, under Article 41 of the PIPL, unless approved by competent authorities in China, employers are not allowed to provide any personal information of employees stored within any territory of China to any foreign judicial authorities or legal enforcement agencies.

The restrictions under Article 41 also add a new consideration for companies conducting audits and investigations on their employees in China, especially if such audits and investigations can lead to the involvement of legal enforcement agencies or judicial authorities.

The PIPL will take effect in approximately one month time. It is advised to companies to review and update current existing consent forms from the employees and ensure the compliance.