China’s Personal Information Protection Law (“PIPL”) came into effect on 1 November 2021. Accompanying the PIPL, the Cyberspace Administration of China (“CAC”) also published draft Measures for the Security Assessment of Outbound Data for public consultation.
In most cases, multinational companies with operations in China will involve some communication going back and forth between China and the overseas headquarters. These companies need to collect and process information from their existing and prospective employees, from the recruiting process to the end of the employment. Therefore, it is crucial to study the relevant provisions in the PIPL that affect how employers collect and process employees’ personal information. We can foresee a few scenarios where employers should be extra careful:
- Information transmission between China subsidiaries and overseas related companies involves personal information of employees;
- The Company’s ERP data, including personal information of China employees, are hosted or being backed up on an overseas server;
- A third-party service provider is managing China-based employees’ insurance and other benefits outside of China;
- The subsidiary will be sold or acquired, and the potential new owner is arranging the transaction through a third party overseas;
- An internal investigation is being carried out, requiring access to the electronic equipment of employees.
In practice, there are certainly more complex cases where a detailed analysis should be conducted. Based on the current development of the data privacy framework, we advise employers to take the following actions:
Explicitly notify employees and obtain their written consent on processing their personal information
It is already common for many employers to obtain “general consent” from the employees during the hiring and induction process. The old practice might merely involve a general statement on the employee’s contracts or staff handbook. However, these clauses are not valid anymore to cover all scenarios. Separate notices should be given to the employees when the employer intends to disclose employee information to a third party, transfer to a location outside China, or process sensitive personal information. In the written consent, employers should explicitly notify employees of specific items:
- Name and contact information of the data controller;
- The purposes and methods of processing of personal information;
- Categories and retention periods of personal information to be processed; and
- Methods and procedures for employees to exercise their rights enshrined in the PIPL.
Even though the PIPL provides additional grounds to process employee data in certain circumstances without the need to obtain consent, the precise scope of these exceptions is yet to be clarified. Therefore, the best policy is for employers to be prudent in all cases.
Undertake a security impact assessment before transmitting personal information abroad
According to the draft Measures for the Security Assessment of Outbound Data, before employers provide employee’s personal information overseas, they should first carry out data export risk self-assessments, focusing on assessing the following matters:
- Legality, appropriateness, and necessity of the purpose, scope, and methods of exporting the data and of the overseas’ recipients handling of the data;
- Volume, scope, types, and sensitivity of the exported data, and protentional risks to national security, public interests, or the lawful rights and interests of individuals and organizations that might be brought on by exporting the data;
- Management and technical measures, and the capacity of data handlers to prevent risks such as data leaks and destruct;
- Responsibilities and obligations that the overseas recipient has pledged to undertake, as well as their management and technical measures, and the capacity for performing the responsibilities and obligations, and whether they can ensure the security of outbound data transfer;
- Risks of leaks, damage, tampering, and abuse of data after the data is transmitted abroad and further transferred;
- Whether the individuals whose data is transmitted abroad can easily access the channels to maintain their rights and interests in personal information protection.
- Whether the agreements signed with the overseas recipient fully specify responsibilities and obligations in protecting data security.
In addition to self-assessments, if the amount of personal information exceeds a certain threshold according to the Measures for the Security Assessment of Outbound Data, a mandatory security impact assessment through the provincial level of CAC will be triggered.
Sign cross-border data transfer agreements with overseas data recipients
The China subsidiary should sign a cross-border data transfer agreement with each of its overseas data recipients. The agreement should provide the responsibilities and obligations for data security protection, including:
- Purposes and methods of transmitting the data abroad and the scope of the outbound data;
- Purposes and methods of data processing by the overseas recipient;
- Location and duration of overseas storage of the data;
- How to deal with the data after the storage period expires, the purpose agreed upon is completed, or the contract is terminated;
- Restrictive clauses restricting the overseas recipient from re-transferring the data transmitted abroad to other organizations or individuals;
- Security measures that shall be taken in case of any substantial change in the actual control right or business scope of the overseas recipient, or any change in the legal environment of the country or region where the overseas recipient is located, which makes it difficult to guarantee data security;
- Liability for breach of the data security protection obligation, and binding and enforceable dispute resolution clauses;
- Clauses about properly carrying out emergency measures in case of data leaks and other risks;
- Clauses about ensuring the smooth channels for individuals to safeguard their personal information rights and interests.
Review and update the company’s data storage and backup policy in China
HR managers in China should work with the IT department to review the current IT infrastructure on data storage, protection, and backup policy. Pay special attention to assessing whether the company should improve the China data backup policy, database management system, data masking, and remote access mechanism.
For more complex cases, it is recommended to conduct a risk analysis to avoid liability. Employers would need to rethink their policies and implement corrections to align with China’s data privacy framework. Amendments should be planned according to each company’s situation to reduce liability exposure and generate trust from the employees.