China’s Personal Information Protection Law (PIPL) came into effect on November 1. Comprehensive privacy laws have existed for many years in various parts of the world—most notably the European Union, which first enacted its Data Protection Directive in 1995 and followed it with the General Data Protection Regulation (GDPR) in 2016.
However, PIPL represents the first ever comprehensive privacy law in China. At first glance, China’s PIPL might appear to be another step in its increased regulation of technology, following up on its Cybersecurity Law. A closer look, however, reveals striking similarities with privacy laws elsewhere, and when applied to employee data, PIPL looks far from an outlier.
Steps Companies Must Take
In fact, China’s PIPL is like Europe’s GDPR in terms of the basic rights it affords individuals. According to China’s PIPL, there are certain steps companies must take when processing employee data, such as the following:
- Companies must have a legitimate reason for processing personal data
- Companies must inform individuals about the processing
- They can process no more data than is needed for the specified purpose
- They must ensure that personal data is accurate
- Companies must implement appropriate security measures
- Companies must provide individuals rights to access, correct, and delete their data
While these rights are defined in more general terms than in GDPR in fundamental substance, they mirror those in GDPR.
Put simply, China hasn’t created something new, and companies with operations in Europe or elsewhere, along with associated privacy programs, should have a strong foundation to build on for compliance.
As with any privacy compliance program, fundamentally, companies must do three things:
- Assess where there are gaps between their existing practices and the obligations of PIPL
- Implement an action plan to address and close those gaps
- Demonstrate compliance via continuous monitoring and maintaining evidence to ensure that new processes operate as expected and do not fall by the wayside
HR Areas Companies Need to Know
In the HR space, there are a few wrinkles that companies will need to think about. The first is engagement of entrusted parties—essentially, service providers—that process data pursuant to their instructions. It is important that companies have contracts with their entrusted parties that define how the entrusted party will use the data, its obligations to comply with the company’s instructions, and its implementation of security measures. All these are analogous to GDPR’s requirements for data processing contracts. Beyond that, companies need to ensure that their service providers have put in place compliance mechanisms for PIPL, so that they are confident that those providers can live up to those contractual terms.
The second relates to processing of sensitive data. While PIPL, as noted, gives companies many legal bases for processing data for HR purposes, including compliance with legal obligations and fulfillment of a contract, when sensitive data is processed, consent is required. So, HR professionals will need to determine whether they are processing sensitive data, which includes data related to biometrics, religious beliefs, medical conditions, and financial accounts, and if so, make sure they implement mechanisms to obtain employee consent.
The third area of focus relates to cross-border data transfers. There are two separate requirements that apply. First, as with sensitive data, consent is required. To obtain consent, employers must provide information on the types of data to be transferred, the entities to which data will be provided, and how individuals can exercise their rights under PIPL. For a transfer to a third party, this requirement is straightforward. But transfers to entrusted parties, however, aren’t really transfers to a third party as such. In this case, companies should still obtain consent for transfer abroad and signal what data is being transferred and attest that the employer remains in control of the data, and the contact point for any exercise of rights under PIPL.
The second requirement for transfers is the implementation of a data transfer mechanism. For certain companies, this will involve a security review, because of the number of individuals they contain information on or the amount of information transferred. Under the current draft guidelines issued by the Cyberspace Administration of China, companies that transfer personal data abroad and have records on more than one million individuals or that transfer abroad personal data of more than 100,000 individuals, would have to undergo a security review. It remains unclear whether these thresholds will change when the decree is finalized or what elements will comprise the security review. With respect to service providers, companies should look to their entrusted parties to provide technical information that will assist them with such reviews.
For other companies, use of model contractual clauses will be required. This is a familiar approach, as the European Union also uses model contractual clauses to enable data transfers to third countries. However, as the model clauses have not yet been released, it is unclear what obligations they will impose.
Ultimately, companies should not be concerned by the uncertainty. There is some ambiguity with any new legislative framework. Implementing regulations often follow laws—indeed, in Europe, it took years after GDPR came into force before the model contractual clauses for data transfers were updated to take account of its new requirements. Rather, employers should focus on what they know which include the following:
- The substantive obligations around lawful process
- Data minimization
- Individual rights requests
While it seems clear that China will require some types of data to be stored in country, particularly for critical information infrastructure providers, it will not prevent the transfer of that data abroad provided a security assessment is completed or model clauses are put in place. Even for entities that are ultimately designated as critical information infrastructure providers under the cybersecurity law, the localization obligations will likely apply only to the data that makes them critical, such as data related to their operations in finance, energy, utility, defense, or communications companies.
In conclusion, it is not surprising that China has enacted a privacy law, that some of its provisions are vague, and that regulatory guidance remains to be issued on certain points. This is consistent with the increasing adoption of privacy laws globally, the process of putting those laws in place, and China’s legal system. But by building on experience with existing privacy laws, recognizing that most HR data is already processed to comply with legal obligations or to fulfill contracts with employees, and that the more draconian provisions of the law are aimed at other types of personal data, HR professionals can help their companies build strong compliance programs, leveraging practices of the third parties they work with.
Do you like our content? Join the GPMI community to get free education and articles straight to your inbox!
Jason Albert is Global Chief Privacy Officer at ADP where he leads the company’s worldwide privacy compliance program, building on his more than 20 years of experience in legal and policy work in both the United States and Europe. Before joining ADP in 2021, Albert spent five years at Workday, where he led the company’s privacy legal and government affairs teams, and nearly a decade at Microsoft, where he was responsible for strategic projects related to the privacy of the company’s cloud computing offerings. Albert holds a Juris Doctor degree from Harvard Law School. He also holds a bachelor’s degree from Princeton University.