China released the first draft of its Personal Information Protection Law (the “Draft PIPL”) on 21 October 2020 and invited public comments until 19 November.
The future promulgation of the PIPL will have a significant impact on various aspects of the processing of personal data by businesses within or outside China (through its extraterritorial application, as discussed in our previous newsletter). It will affect not only the processing of customer data in the course of commercial operations, but also employee data in the context of employment relationships. This article touches on the key implications of the Draft PIPL for employers, through the data lifecycle of employee recruitment, employment, and termination of employment.
What employee data are protected?
Art. 4 of the Draft PIPL provides that all kinds of information, whether recorded electronically or otherwise, that relates to an identified or identifiable natural person will be protected as personal information (“PI”). Before and during the employment phase, an employer will collect a large amount of PI including identity information, education background, employment history, professional credentials and even health information, criminal history of candidates/employees for talent screening, interview records, background checks, etc. The more sensitive personal information such as health information, criminal records, financial information, etc. will be subject to more stringent regulations under art. 29-32 of the Draft PIPL. Interestingly, the Draft PIPL further clarifies that PI does not include anonymized data, a concept similar to that which exists under the EU General Data Protection Regulation (“GDPR”) referring to data that can no longer be used to identify a natural person. Nevertheless, given the technical difficulties in achieving data anonymization, a large amount of data that employers process will be PI subject to the Draft PIPL.
Processing of employee data requires a legal basis
One of the core principles under the Draft PIPL is that employee data shall be processed in a lawful and legitimate manner. Apart from consent, which has long been established as the only lawful ground for processing under existing laws and regulations (e.g. the Cyber Security Law (“CSL”)), art. 13 of the Draft PIPL introduces several new lawful grounds (see our previous article here for further details), among which the following might be considered as the most appropriate in the employment context:
i) where necessary for the execution or performance of an employment contract (“contractual necessity”);
ii) where necessary for compliance with an employer’s legal responsibility and obligations (“legal obligations”);
iii) where necessary for responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property (“public task”).
These GDPR-aligned new lawful grounds would be a welcoming change for employers, assisting international companies with their global recruitment and employee management. For example, an employer would be able to process candidate/employee data based on contractual necessity (if implemented in the finalised law) so as to assess the candidate’s suitability for the recruitment and to administer employees’ payrolls and benefits, etc. During the COVID-19 pandemic, employers may process employees’ certain health information relying on its obligations under employment law or public task necessity. In other circumstances, however, consent will be likely to remain an important lawful ground, e.g. to allow the use of IT system for employee management and monitoring.
Responding to employees’ data subject rights
Employers are required to establish a mechanism for responding to employees' data subject rights, including rights:
i) to be informed and make self-determination. In practice, this may be fulfilled by furnishing employees with relevant information through an employee privacy notice/policy, outlining the identity and contact details of employers, the purposes and means for processing, retention periods, employees’ data subject rights, etc.
ii) to restrict or object to certain processing, e.g. the right to object to automatic decision-making during the recruitment process;
iii) to access and obtain a copy of an employee’s personal data processed by their employer;
iv) to rectify incorrect information and delete information when e.g. the purposes for processing have been achieved or the agreed retention period has expired; the employment contract is terminated; employees’ consent has been withdrawn; or the processing is contrary to law or the agreement, etc. This would require employers to establish a clear internal data retention policy to ensure they delete, or where the statutory retention period has not expired or where technically difficult, to stop processing relevant employee data upon request;
v) to receive an explanation of employee data processing rules; and
vi) to be given reasons as to why an employee’s request was refused (art. 44-49).
However, the Draft PIPL itself fails to provide further details as to when and how employers should respond to or can be exempted from fulfilling the above rights. Please refer to the previous newsletter for the discussion on individual rights.
Sharing and cross-border transfer of employee data
It is common for employers to engage third-party vendors for employment-related services such as recruitment, background checks, payrolls, etc. Where employers share employee data with entrusted third-party vendors, the Draft PIPL requires employers to, for one thing, notify employees and obtain their separate consent, and for another, enter into processing agreements with entrusted vendors and supervise such processing.
When transferring employees’ PI to other offices outside mainland China for administrative purposes, employers may now be pleased to see new cross-border transfer mechanisms have been offered in the Draft PIPL, although without detailed implementation rules or explanation: obtaining certification, signing data transfer agreements, etc. Please refer to the previous newsletter for further details. Further to the above, employers are required, among other things, to notify employees whose PI is to be exported and obtain their separate consent and conduct and record a risk assessment as mentioned below.
Accountability: employers’ obligations for data governance
In compliance with the new accountability principle under art. 9 of the Draft PIPL, employers will be held responsible for and required to adopt necessary safeguard measures to ensure the security of employee data processing, e.g. security measures, appointing data protection officer (where required), conducting and recording risk assessment, and following data breach notification. Please refer to the previous newsletter for further details.
Liability of employers
- Administrative penalty: If an employee lodges a complaint to the relevant authority against his/her employer or if an employer is found by the authority to have violated their employees’ PI rights, the employer could be faced with substantial administrative penalties. One of the other notable changes that employers should be aware of is that the Draft PIPL introduces much larger fines than those under existing laws and regulations relating to data protection. An organisation’s breach of required obligations may result in it being subject to concurrent or separate fines up to RMB 50 million (US$7.5 million) or 5% of the previous year’s annual turnover, as well as other adverse consequences such as business suspension, license revocation etc. Simultaneously, managers and other staff of organisations directly responsible for the offence could be subject to fines up to RMB 1 million (US$152,100).
- Civil liability: Employees can file a civil lawsuit against employers in courts for e.g. breach of employment contract, breach of personality right, or tort liability in the wake of a data breach in the workplace. In this regard, art. 65 of the Draft PIPL provides that liability of the PI infringer (i.e. the employer) will be determined based on the damages suffered by the injured party (i.e. the employee) or illegal gains derived from the infringement; if the said damages or illegal gains are difficult to be ascertained, the people's court shall determine the amount of compensation based on the actual situation. In addition, the Draft PIPL appears, for the first time, to introduce the “shifting burden of proof” rule, that is, only when the employer as a PI infringer can prove that it is not at fault, can its liability be reduced or avoided. Key takeaways for employers in this aspect are that employers should document relevant consent forms, records, policies, etc., and be prepared to prove their compliance with laws and regulations in case of future labour disputes relating to employees’ PI protection.
- Criminal Conviction: The Draft PIPL generally sets out that criminal liability will apply if a violation amounts to a crime. If an employer is found to illegally acquire, sell or provide employee data to third parties (which constitutes a crime as defined under the existing PRC Criminal Law, its amendments and relevant juridical interpretation), the employer could be subject to criminal liability including detention or up to 7 years' imprisonment and/or a fine depending on the severity of the illegal conduct.
Once adopted, the PIPL will, along with the CSL and the Data Security Law (currently still in the draft form), serve as the so-called three-pillar regulatory framework governing data in China. Although the exact final form of the Draft PIPL is yet to be seen, it is imperative for employers to stay ahead of the curve and be prepared for this significant change of regulatory landscape in the near future.