December 4, 2022

Volume XII, Number 338

Advertisement

December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

What Multinational Companies Need to Know About Collecting Personal Information from Their Employees in China

The Personal Information Protection Law (PIPL), which is considered the first comprehensive law on personal information protection in People’s Republic of China (PRC or China), came into effect on 1 November 2021. Prior to PIPL, mandatory requirements on the cross-border transfer of personal information were outlined mainly in the PRC Cybersecurity Law, and applied only to “critical information infrastructure” (CII) operators. Many draft laws or best practice guidelines contain a variety of requirements on the cross-border transfer of personal information. However, they are either still draft laws or just recommended best practices. PIPL has adopted many of the provisions from draft legislation, as well as added new requirements, creating a more comprehensive framework of requirements for the cross-border transfer of personal information.1

Besides establishing comprehensive compliance requirements for the cross-border transfer of personal information, PIPL has also increased penalties for breaches, compared with the PRC Cybersecurity Law. If personal information is processed in violation of PIPL, a personal information processor may be subject to a variety of penalties, including a warning, an order to rectify, the confiscation of illegal income, a fine of up to RMB1 million, or, in the event of a serious violation, a fine of up to RMB50 million or 5% of the personal information processor’s previous year’s annual revenue. In addition to these penalties, if there is a serious violation, the personal information processor may be ordered to suspend or cease its business operations, or be subjected to a revocation of the relevant regulatory approvals or business licenses. Under PIPL, a personal information processor is an entity or person that independently determines the purpose and method of processing of personal information, which includes a multinational company (MNC) employer. Processing of personal information includes the collection, storage, use, transmission, provision, publication, and erasure of personal information.

Based on our current understanding of PIPL, this alert provides key takeaways for human resources management divisions of MNCs with PRC-based operations, noting the urgency for MNCs to comprehensively review their internal procedures.

TRANSFERRING EMPLOYEES’ PERSONAL INFORMATION

It is common for an MNC to centralize the management of its China operations in its regional or global headquarters outside of the PRC. In terms of human resources management, the regional or global headquarters outside of China generally collect employees’ personal information from China, which is now regulated by PIPL as a cross-border transfer of personal information.

Since the legal consequences for noncompliance under PIPL have become much more serious, it is advisable, as a start, for MNCs to take note of the following new key PIPL requirements.

KEY TAKEAWAYS

Key requirements under PIPL that an MNC’s headquarters outside of China, as a foreign personal information processor, should be aware of when collecting personal information of their China-based employees are as follows

General Requirements for All Processors

PIPL provides a set of requirements that are applicable for all types of personal information processors in the context of a cross-border personal information transfer, which include:

  • Human resource management policies: In general, the cross-border processing should be necessary for carrying out human resources management under a legally established employment policy and a collective employment contract entered into by an employer. Under the PRC Labor Contract Law, the formulation of employment policies which have an impact on employees’ interest does not require the consent of employees but should be done through due procedures, such as consultation with employee representatives, public announcement of the policy, or notification to employees.

  • No less protection than PIPL: Foreign personal information processors that receive personal information shall take all necessary measures to ensure that the personal information is processed and protected by them in a way that is not below the PIPL standards.

  • Data protection impact assessment: A prior personal information protection impact assessment is required before a cross-border transfer of personal information occurs.

In the event that the cross-border collection and processing of personal information is necessary for business purposes other than human resources management, separate notification to and consent of China-based employees are required.

Local Storage Requirement for Specific Processors

Among the general requirements that are applicable for all personal information processors, local storage requirements of personal information are applicable for CII operators and those processors whose processing of personal information reaches the threshold amount prescribed by the Cyberspace Administration of China (CAC). They shall store the personal information collected or generated from China within the territory of the PRC. Where it is necessary to transfer such personal information to an overseas recipient, they are required to pass a security assessment organized by the CAC.2

Requirements for Other Processors’ Cross-Border Collection 

Personal information processors that are not subject to the local storage requirements are required to meet one of the following conditions:

  • conclude a cross-border data transfer contract with the foreign recipient in accordance with standard contractual clauses formulated by the CAC; or

  • go through a personal information protection certification conducted by a professional institution in accordance with regulations of CAC.

Specific Requirement for Sensitive Personal Information

PIPL and other guidelines categorize certain personal information as sensitive personal information, such as employees’ facial features, fingerprints, health conditions, bank account information, ID card, etc. Sensitive personal information includes personal information of a person under the age of 14. Accordingly, any information concerning an employee’s young family members must be processed with care. The processing of sensitive personal information is subject to a higher standard, especially in a cross-border context. When an MNC outside of China collect their China-based employees’ sensitive personal information, they should note the following requirements:

  • there should be a specified purpose and sufficient necessity, and strict security measures must be adopted; and

  • the employee must be notified of the specified purpose, the reason of necessity, and the impact on his/her rights and interests.

In the event that the processing of the relevant sensitive personal information is sufficiently necessary for a business purpose other than human resources management, a separate prior consent from China-based employees is required.

China-based Representative or Agency

According to PIPL, when a foreign personal information processor processes personal information of individuals residing within the territory of China for the purpose of analyzing and assessing the behaviors of such individuals, it is required to appoint a special agency or a representative in China (i.e., a China-based representative or agency) to be responsible for personal information protection-related matters. Because assessment review is part of human resources management of a company normally, whether foreign regional or global headquarters should have a China-based representative or agency designated for personal information protection in this context is subject to clarification in practice.

Notification to Individuals in Specific Events

Where a China entity employer or even regional headquarters of an MNC needs to transfer personal information of China-based employees due to merger, division, dissolution or bankruptcy, it shall inform the China-based employees of the name and contact of the recipient.

Blacklist of Foreign Personal Information Processor

Under PIPL, if a foreign personal information processor infringes on the personal information rights and interests of any Chinese citizen, or endangers the national security or public interests of China, it could be blacklisted by the CAC and restricted or prohibited to further collect personal information from China. Whether and to what extent this provision is applicable to foreign regional or global headquarters’ processing of personal information of their China-based employees is an open question.

NEXT STEPS

We expect additional important developments with respect to PIPL in the months to come and will keep you informed of significant changes.

Monica Zhang also contributed to this article.

FOOTNOTES

1 Under PIPL, personal information is any information related to an identified or identifiable person, excluding the information processed anonymously.

The Regulations on the Security Protection of Critical Information Infrastructure became effective on 1 September 2021. In principle, the regulators will formulate relevant implementation rules and identify and notify CII operators pursuant to these rules. Please see our alert “Overview of the New Implementing Rules on Critical Information Infrastructure in China and Key Takeaways” for further analysis of this development.

Copyright 2022 K & L GatesNational Law Review, Volume XI, Number 314
Advertisement
Advertisement
Advertisement

About this Author

Amigo L. Xie Corporate/M&A HONG KONG
Partner

Dr. Xie’s practice focuses on PRC-related cross-border merger and acquisition (M&A) (inbound investment into China and outbound investment from China), Chinese companies’ overseas IPO, anti-trust pre-merger filing in China, and corporate and commercial matters. With more than 15 years’ experience representing both domestic and foreign investors in PRC-related cross border transactions, Dr. Xie advises clients on a wide array of legal issues including, overseas investments by PRC individuals, state-owned or private enterprises, foreign direct investment, corporate restructuring,...

852-2230-3510
Yibo Wu Shanghai China Corporate Associate Attorney K&L Gates LLP
Associate

Yibo Wu is an associate in the Shanghai office. His practice focuses on cross-border M&A and general corporate matters. He has represented many multinational companies in their cross-border transactions across various industries such as TMT, health care, real estate, e-commerce, automotive, energy, advertising, and entertainment.

+86-21-2211-2090
Xiaotong Wang is a corporate lawyer in K&L Gates Beijing office.
Associate

Xiaotong Wang is an associate in the firm’s Beijing office. She has extensive experience representing clients in cross-border mergers and acquisitions, foreign direct investments, corporate regulatory, employment and workplace safety, and a range of aspects of corporate matters and commercial transactions. Her practice also involves regulatory and compliance advice on pharmaceuticals and medical devices, foreign NGOs with presence in China as well as data privacy and cybersecurity.

+86.10.5817.6119
Wu Dan Corporate Merger & Acquisition and Food law Attorney K&L Gates law Firm Shanghai, China
Consultant

Wu Dan’s practice focuses on M&A, FDI, general corporate, and food regulation. She has advised a variety of multinational corporations in their PRC projects, including acquisition of PRC companies in a variety of industries as well as the establishment, operation, and dissolution of foreign invested enterprises in various cities of China.

+86.21.2211.2083
Advertisement
Advertisement
Advertisement