Global menu

Our global pages

Close

China’s Personal Information Protection Law: what employers need to know before 1 November 2021

  • Hong Kong
  • Privacy, data protection and cybersecurity

28-10-2021

 

In August 2021, the Standing Committee of the National People’s Congress passed the Personal Information Protection Law (“PIPL”). It will come into effect on 1 November 2021 and is China’s first comprehensive law on the protection of personal information. What do employers need to know?

Application outside China

The PIPL applies not only to data processing within China, but also applies to data that is processed outside of China in some circumstances such as analysing behaviour, providing goods or services, or as may otherwise be provided under law, then the PIPL will apply.

Separating Privacy and Personal Information

Although the PIPL is China’s first comprehensive law on the protection of personal information, there is other legislation that covers matters relating to privacy. It is therefore important to note that under Chinese law, “Privacy” (隱私) and “Personal Information” (個人信息) are two distinct concepts.

Privacy is defined as an individual’s peace of private life and other private space, private activity and private information the individual does not want others to know (Article 1032 of the Civil Code). Personal Information is defined as all information relating to any identified or identifiable natural person, whether in electronic or other form (Article 4 of the PIPL).

Employers should recognize that Privacy and Personal Information are regulated differently even if they overlap. Employers must be able to correctly categorize the information they possess about their employees to be compliant with Chinese legal requirements.

An organization or individual dealing with matters that affect the Privacy of another person is required to obtain the individual’s express and separate consent unless the dealing is expressly authorized by law. In a human resources management context, this would mean that an employer would have to obtain the employee’s express and separate consent before it can conduct searches on employee’s private space (e.g. lockers) or company electronic devices where the employee has a reasonable expectation of privacy. Infringement of the rule may expose the employer to tortious liability in damages for psychiatric injury, apology and injunctive relief.

Alternatively, Article 13(2) of the PIPL specifically allows an employer to process an individual’s Personal Information for the purposes of human resources management in accordance with the Labour Rules (勞動規章制度) established by the employer without the need to obtain the individual’s consent. This permission was added in the final draft and gives employers clear grounds to process information where it is necessary for human resource management purposes. Note that what is “necessary” is not defined, however. We therefore recommend that employers obtain consent as well.

Separate and Specific Consent

In some cases, separate consent is mandatory. “Separate specific consent” is a new concept introduced by the PIPL which is required for the following types of processing:

 

  • Processing sensitive personal information;
  • Overseas transfers of personal information;
  • Disclosure of personal information to the public;
  • Provision of data to another data controller for processing; and
  • Use of any data collected through image or identification device in public for purposes and else from maintaining public security.

 

Sensitive personal information refers to personal information which, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person. Some examples of sensitive personal information include (but not limited to) biometric data, health information, financial account information, location data and the data of children under the age of 14.

Other circumstances where separate consent is required in the human resources context will be where employee data is transferred outside of China (for example in a central database).

There is still some uncertainty as to the meaning of “separate” specific consent in practice, and we anticipate this will be a matter to be clarified in the upcoming guidance.

Next Steps

Employers should review their Labour Rules in as soon as possible to ensure that the Labour Rules have provided for the processing of its employees’ personal information to allow them to make use of the exemption under Article 13(2).

Employers should also ensure that their Labour Rules and other internal guidance have removed the employees’ expectation of privacy of their personal space, company electronic devices and/or communications at work in order to minimize the risk of these being protected under the employee’s rights of Privacy, which would require express consent of the employee to access or process.

Employers must also review their HR processes to understand what information they are collecting and retaining from their employees to assess where consent is needed.