The purpose and necessity of legislation for personal information (PI) protection is simple and straightforward. It is your right as individuals to have your PI and privacy protected, especially given the speedily developing electronic world with widely used networks. Yet, the laws protecting PI are not always easy to understand. You can relate if you have reviewed or studied, for example, the General Data Protection Regulation (GDPR) of the European Union.
Further complicating matters is the fact that PI protection first requires government legislation followed by a set of regulatory mechanisms and the establishment and adoption of practical and useful technical measures by PI processors. Moreover, these mechanisms and technical measures cannot be “one-off” actions. Instead, they need to be maintained and managed continuously for the long run, so individuals can observe the law’s requirements. For example, prompt reaction is needed for any request from those who would like to review, rectify, or delete their personal data in a timely manner, especially if the storage term expires.
The draft of the People’s Republic of China Personal Information Protection Law (PIPL Draft) was released on 21 October 2020, to seek comments from the public. Though the length of the PIPL Draft is much shorter than the GDPR (the English version of the PIPL Draft is around 11 pages, whereas the GDPR is 88 pages), the articles of the PIPL Draft cover most of the core contents under the GDPR.
This article helps you understand the core requirements under the PIPL Draft from the perspective of an employer in the form of a Q&A (assuming that you are a corporate employer with managing employees).
Q: Whose information and what information do we process?
A: You process your employees’ personal information (PI). PI, which is referred to as “personally identifiable information” (PII) in the United States or “personal data” in the European Union, means various kinds of information related to any identified or identifiable natural persons recorded by electronic or other means. For example: your employee’s full name, date of birth, gender, address, résumé, fingerprint, ID number, etc. As an exception, information processed anonymously does not count as PI.
Q: What does process/processing mean under the context of PI protection?
A: Processing consists of types of behavior in relation to PI, including collection, storage, use, modification, transmission, provision, and publication of PI.
For example, when you ask your newly onboarded employees to fill in the onboarding form with their name, phone number, contact address, emergency contact person, etc., you are collecting their PI. When you input the employees’ information into your HR systems for efficient administration, you are storing their PI. When you provide their information to an insurance company for the purpose of purchasing group insurance for your employees, you are using and transmitting their PI. From collection to deletion, this can be viewed as a life cycle of the PI. All these steps in the life cycle are collectively called processing of PI (see Figure 1).
Figure 1—Processing Under the Context of Personal Information Protection
Q: Are we governed by the PIPL if we are a company registered outside of China?
A: It depends on whether you process PI of individuals who are in the territory of China and for what purpose. If you are processing PI of individuals who are in the territory of China for either of the following purposes, the PIPL will be applicable to you even if you are registered and physically outside China:
- To provide products or services to individuals inside China
- To analyze and evaluate the activities of individuals inside China. This stipulation is like the “long-arm jurisdiction” under GDPR.
Imagine you are a company registered in Singapore with only a representative office in China. You hire Chinese employees in China indirectly via a dispatch agency and use finger-print punch to supervise the employees’ attendance. Such activities literally match the description “analyze and evaluate the activities of individuals inside China” in the PIPL Draft. In this case, the Singapore company will be governed by the PIPL, unless a further interpretation of the law provision is in contrast.
Q: What is our role as the employer?
A: Under the PIPL Draft, you are the “processor” because, as the employer, you are the one to independently determine the purpose and method of processing, etc., of your employees’ PI. According to the PIPL Draft, PI processor refers to any organization or individual that independently determines the purpose and method of processing and other PI processing
Q: What are our main obligations and responsibilities?
A: In the role of PI processor, you are responsible for your behaviors related to PI. Therefore, you must take necessary measures to ensure the security of PI throughout its life cycle to minimize your risk. To be specific, your main obligations may be roughly divided into two aspects, one from the organizational aspect and the other from the technical aspect. Some obligations may require both organizational and technical support simultaneously as illustrated in Figure 2.
Figure 2—Personal Information Processor Obligations in China
Q: What should we do when we collect and use the employees’ PI?
A: You should briefly explain the respective grounds for collecting and use of the employees’ PI. Prior to collection or any other step of processing, you must have a legal ground to do so. Legal ground mainly refers to any of the following:
- The individual agrees. For example, the employee agrees to provide a hometown address though it is not their current frequent address.
- It is necessary for the conclusion or performance of a contract with the individual. For example, for performance of the labor contract between the employee and you, they must provide their bank account number so that you can pay them their salary.
- It is necessary for the performance of statutory duties/obligations. For example, your employee must provide you their ID number as you have the statutory duty to withhold and pay individual income tax for them as expected by the tax bureau.
- It is necessary for coping with emergencies or for the protection of the life, health, and property of a natural person. For example, in case an employee suffers an injury, when you send them to the hospital, you must provide their PI to the hospital without their consent.
- To carry out activities such as news reporting and supervision by public opinions for the public interest, within a reasonable scope. For example, your employee in charge of marketing gave a presentation in a public event, and you later publish this news with their picture at the event on your website.
When collecting PI, you must make sure the PI you collect is limited to the minimum scope for achieving the purpose with applicable legal ground. You are not supposed to collect PI that is unnecessary or beyond the purpose. For example, when an employee is onboarded, their full name, ID number, contact details, bank account number, emergency contact person, and basic physical examination report could be sufficient for the purpose of concluding and performing the labor contract. It is unnecessary to collect irrelevant information, such as family members’ names, unless you have additional purpose and legal ground to collect that PI.
In addition to having a legal ground, you must also clearly inform your employees regarding the purpose, the type of PI to be processed, the processing manner, storage term, and other aspects of the processing of their PI. Such informing before processing is a must with the exception that there is a confidentiality obligation or emergency circumstances. To comply with this stipulation, you may want to include such details into the labor contract from an overall perspective, to avoid future informing from time to time (unless specific informing is mandatorily required by law).
Q: What should we do to the PI in our possession?
A: First, remember that the minimum storage term means the PI must be as minimum as necessary for achieving a purpose. The PIPL Draft grants the individual’s rights with respect to their PI. These rights include the rights to:
- Know about the processing
- Consent or reject the processing
- Review and copy their PI
- Require rectification and supplement to their inaccurate PI
- Require deletion of their PI
- Request explanation regarding the processing rules, etc.
As the PI processor, you should establish and maintain the mechanism for accepting your employees’ requests and exercise prompt reaction to their requests.
Q: What should we do when we must send our employees’ PI to our HQ outside of China?
A: It should at least meet any of the following conditions:
- The cross-border provision of PI has passed the security assessment organized by the State cyberspace administration
- The protection of PI has been certified by a professional institution in accordance with the rules of the State cyberspace administration
- A contract with the overseas recipient has been concluded, which specifies the rights and obligations of both parties; and the overseas recipient’s processing of PI must be supervised to ensure that its processing activities meet the standards of protection of PI as stipulated in the PIPL Draft
- The cross-border provision of PI has satisfied other conditions prescribed by laws, administrative regulations, or the State cyberspace administration
In addition, you must inform your employee, whose PI is being provided overseas, information regarding identity of the overseas recipient, contact details, purpose and method of processing, type of PI, and the way for the employee to exercise their rights, and must obtain their specific consent.
Q: What should we do when we no longer need the PI in our possession?
A: In theory, when the agreed storage period has expired or the purpose of processing the PI has been achieved, you must proactively delete the PI. However, as you can foresee and based on experience, you may have to retain some of the PI of your employees for some time even after their labor relationships with you have ended, for multiple reasons. Examples are to issue or re-issue a separation certificate for the former employee, to provide a background check per the former employee’s new employer’s request, to prepare for potential labor disputes, etc. For all this possible post-termination storage of PI, you may want to specify them as exceptions in the relevant PI documents; for example, the notice where you inform your employees regarding your processing of their PI in the very beginning, ideally with their consent.
It may be easier for you to understand the law from the perspective of an employer, as most companies need to manage staff before managing relationships and transactions with customers and/or suppliers. Once you have understood the law requirements for employers, then you can easily apply the understanding and rationale when dealing with individual information of your customers, suppliers, other cooperative partners.
This article was first published by China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to [email protected] for more support.