China Employment Law Update

The influence of PRC Cyber Security Law in the workplace

Before the establishment of the Cyber Security Law, an employer's data protection obligations were stated very briefly in Article 13 of the Provisions on Employment Services and Employment Management which stated that "An employer shall keep the personal materials of workers confidential and shall first obtain the employee's written consent before publicising such personal materials or a worker's personal information; this includes the worker's technology rights or intellectual property rights". There was no definition of "personal information", and no definition of "publicising".

The new Cyber Security Law defines "personal information" at Article 76 as being all kinds of information recorded electronically or through other means, whether taken alone or together with other information, which is sufficient to identify a natural person's identity, including but not limited to information such as citizens' full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers and so forth. This definition can be compared to the definition of "personal information" provided in the Provisions on Protecting the Personal Information of Telecommunications and Internet Users (issued by the Ministry of Industry and Information on 16 July, 2013) which lists personal information as a user's name, date of birth, identity card number, address, telephone number, account number, passwords and other information with which the identity of the user can be distinguished independently or in combination with other information. It is noteworthy that the Cyber Security Law puts an emphasis on identification, and includes personal biometric information in the concept of personal information. Consequently, the scope of the protection of personal information has been expanded. The Cyber Security Law also contains a provision regarding personal information which is collected or created by "critical information infrastructure operators". The definition of "critical information infrastructure operators" includes, but is not limited to, public communication and information services, power services, traffic services, water and electricity services, financial services and public services, with operations in mainland China. Personal information which is collected or created by such services must not be stored overseas. As the Cyber Security Law only lists certain types of "critical information infrastructures", the exact scope of the definition remains unclear. Once the definition has been clarified by the State Council, companies which fall within the definition of "critical information infrastructure operators" will no longer be able to transfer the personal information of their employees abroad.

Breaches of data protection law are covered by PRC criminal laws and public security administration laws; however the Cyber Security Law now imposes further legal obligations. Any infringement of the Cyber Security Law may entail a temporary suspension of operations, a suspension of business whilst remedial measures are put in place, websites being taken offline, and cancellation of relevant operational permits or business licenses. Individuals can be fined up to RMB 100,000 and the network operators can be fined up to RMB 1000,000.

The Cyber Security Law also states that network operators must not provide personal information to third parties except where it has been processed in such a way that the personal information cannot be recovered or identified. Additionally, operators must take immediate remedial measures in the event of the loss of personal information and must also alter or delete personal information which contains errors. Given that the terms "network operators" and "network" are broadly defined under the China Cyber Security Law, there is a possibility that most enterprises will be subject to the requirements. Whether this will in fact be the case remains to be seen.. Given the very significant changes ushered in by the Cyber Security Law and in particular, the harsh sanctions for breach, it is advisable to keep a close eye on any further developments and in particular, any implementation rules which hopefully will be issued before the law comes into effect on 1 June 2017.