Since the Personal Information Protection Law (PIPL) came into effect last year, foreign companies operating in China have had to adapt to stricter compliance standards when processing employee’s information. Chinese authorities have been actively investigating suspected violations and issuing fines.
The rules set forth by the PIPL apply to any organization that processes the personal information of Chinese citizens for the purpose of providing them with products or services, analyzing or assessing their behavior, or for “other purposes to be specified by laws and regulations.”
The law applies not only to local companies but to foreign firms processing such data, even if the processing occurs outside of China. In order to process the data of Chinese citizens, foreign “personal information processing entities” must follow certain guidelines and requirements.
The PIPL, which came into effect on November 1, 2021, is similar in size and scope to the EU’s General Data Protection Regulation (GDPR).
Along with China’s Data Security Law, the PIPL creates a framework that gives China’s government broad enforcement capabilities and creates a strict compliance environment for the nation’s big tech companies and international businesses operating in China.
The goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.
Companies are prohibited from sharing employee’s personal information with third parties without their consent. If a firm uses a third party in the recruitment process or to conduct a background check, the enterprise must obtain the written authorization of the employee, otherwise, it may infringe on the individual’s rights.
When hiring a person, a company may only collect “basic information directly related to the labor contract”, such as name, gender, nationality, identity certificate number, address, personal email, health status, education and degree, work experience, and emergency contact, among other.
The scope and content of information should be determined by the employer, and its content should be reasonable and minimal. For any sensitive information that is necessary to be collected, the explicit consent of employees must be obtained.
It is imperative that companies protect any collected personal information in both hard or soft copies such as employees’ certificates, files, and documents with personal information, fingerprints, and face recognition information (if any). Any storage equipment, transmission equipment, and used equipment shall be encrypted for security measures.
Employees’ personal information can be stored on equipment provided by the company, including mobile phones, computers, and other devices. To reduce legal risks, employees shall be informed in writing before the company provides equipment that it shall not be used for personal affairs, and the employer reserves the right to inspect and monitor information on such equipment.
Employees should be reminded to delete personal information before equipment is repaired, inspected, or recycled. Any employee’s personal information found shall be kept confidential.
Multinational companies need employees’ written authorization and consent before transmitting any personal information abroad. Relevant requirements such as network security agency services, firewalls, and other means to ensure the security of information shall be implemented.
There are significant restrictions within the PIPL regarding data that crosses borders. For example, organizations that are designated as Critical Information Infrastructure (CII) operators must submit to a mandatory security assessment conducted by the Cyberspace Administration of China (CAC).
For companies that are not designated as part of the CII, data transfers beyond Chinese borders require organizations to submit to a voluntary security assessment, be certified by agencies appointed by the CAC, or enter into an agreement with the CAC.
Once data leaves Chinese borders, the same protections will continue to apply, including data used by third-party processors.
In case of labor termination, companies should only archive necessary information and delete the sensitive personal information and other data that is no longer required. If the new employer requests a background check, the employee must provide prior written consent for the employer to disclose his/her information to other companies, otherwise, it is likely to infringe on the employee’s rights and interests.
One of the challenges with PIPL compliance is the lack of specificity in much of the law, along with its rapid implementation. While the GDPR gave organizations two years to prepare for implementation, PIPL went into effect less than three months after being passed into law.
However, any organization collecting or processing personal information from individuals in China, must comply.
One of the first things organizations need to do to ensure that they comply with PIPL is review their data processing standards. Under the PIPL, businesses must have a lawful basis for any data that is collected, stored, or processed related to a Chinese citizen.
The PIPL requires personal information to be limited to the smallest scope to fulfill that purpose.
A company must have a clear and reasonable purpose for data collection or use, such as to enter or perform a contract, conduct human resources/personnel management practices per labor policies, comply with legal duties, and to respond to public health incidents or protect the rights and interests of Chinese citizens.
Businesses using data for purposes outside those listed here need to take a careful look at their data processing policies with their legal counsel.
In most cases, the PIPL requires that organizations obtain consent for data collection and processing. Companies should review their collection and use policies to make sure consent is collected where required.
To learn more about our services in China, contact our Head of Business Advisory - Ms. Kristina Koehler-Coluccia at kristina@woodburnglobal.com.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.