China’s Personal Information Protection Law (“PIPL”) came into effect on 1 November 2021. Accompanying the PIPL, the Cyberspace Administration of China (“CAC”) also published draft Measures for the Security Assessment of Outbound Data for public consultation.
In most cases, multinational companies with operations in China will involve some communication going back and forth between China and the overseas headquarters. These companies need to collect and process information from their existing and prospective employees, from the recruiting process to the end of the employment. Therefore, it is crucial to study the relevant provisions in the PIPL that affect how employers collect and process employees’ personal information. We can foresee a few scenarios where employers should be extra careful:
In practice, there are certainly more complex cases where a detailed analysis should be conducted. Based on the current development of the data privacy framework, we advise employers to take the following actions:
Explicitly notify employees and obtain their written consent on processing their personal information
It is already common for many employers to obtain “general consent” from the employees during the hiring and induction process. The old practice might merely involve a general statement on the employee’s contracts or staff handbook. However, these clauses are not valid anymore to cover all scenarios. Separate notices should be given to the employees when the employer intends to disclose employee information to a third party, transfer to a location outside China, or process sensitive personal information. In the written consent, employers should explicitly notify employees of specific items:
Even though the PIPL provides additional grounds to process employee data in certain circumstances without the need to obtain consent, the precise scope of these exceptions is yet to be clarified. Therefore, the best policy is for employers to be prudent in all cases.
Undertake a security impact assessment before transmitting personal information abroad
According to the draft Measures for the Security Assessment of Outbound Data, before employers provide employee’s personal information overseas, they should first carry out data export risk self-assessments, focusing on assessing the following matters:
In addition to self-assessments, if the amount of personal information exceeds a certain threshold according to the Measures for the Security Assessment of Outbound Data, a mandatory security impact assessment through the provincial level of CAC will be triggered.
Sign cross-border data transfer agreements with overseas data recipients
The China subsidiary should sign a cross-border data transfer agreement with each of its overseas data recipients. The agreement should provide the responsibilities and obligations for data security protection, including:
Review and update the company’s data storage and backup policy in China
HR managers in China should work with the IT department to review the current IT infrastructure on data storage, protection, and backup policy. Pay special attention to assessing whether the company should improve the China data backup policy, database management system, data masking, and remote access mechanism.
For more complex cases, it is recommended to conduct a risk analysis to avoid liability. Employers would need to rethink their policies and implement corrections to align with China’s data privacy framework. Amendments should be planned according to each company’s situation to reduce liability exposure and generate trust from the employees.