As the first piece of dedicated legislation in the personal information protection field, the Personal Information Protection Law (“PIPL”) puts forward more detailed obligations on employers, as personal information processors. Moreover, the Chinese government is working on the detailed rules and interpretation to support the implementation of Chinese data protection legislations.

Given this, employers should be cautious about processing employees’ personal information during the employment as they are navigating the new era of data protection in China.

Do I need consent to process employee data?

Principles

The PIPL sets out multiple legal bases for personal information processing with the idea of seeking “informed consents” at the core. Generally speaking, an employer may process employees’ personal information subject to his/her consent. Apart from obtaining such consent, persoanl information can also be processed under one of the following legal bases:

• processing is necessary to conclude or perform a contract to which the individual is a party or necessary to implement human resources management in accordance with the internal labor rules and regulations and the collective contract;
• processing is necessary to perform legal duties or statutory obligations (such as paying the salary, withholding the personal income tax and contributing the social insurance and housing funds for employees);
• processing is necessary to respond to a public health emergency or to protect natural persons’ health and properties in an emergency (such as disclosure of certain employees’ personal information for epidemic prevention pursuant to the laws and regulations);
• personal information is processed to a reasonable extent for purposes of carrying out news reporting and public opinion monitoring for public interests;
• processing personal information that has been made public by the individual concerned or in other lawful ways, to the reasonable extent permitted by the PIPL (such as the process of employee’s personal information which is posted on the social media); or
• Other circumstances permitted by laws and regulations.

The PIPL makes it clear that no employees’ consent is required under any of the circumstances of above items.

Informed Consent

The PIPL requires the employer, as processor, to inform the employee of the following truthfully, accurately and completely in a notable manner and by using explicit and easy to understand languages before processing, unless applicable laws and regulations require otherwise or informing is not practically feasible due to emergency:

• name and contact details of processor;
• purposes and methods of processing and catalogues and storage period of personal information to be processed;
• methods and procedures through which employees can exercise their rights granted by the personal information protection law; and
• other matters that are required to be informed by laws and regulations.

After being fully informed, employees may give their explicit consents on a voluntary basis or each individual shall give his/her separate consent or written consent if laws and regulations require to do so. In the event of any change of processing purposes, processing methods or catalogues of personal information to be processed, processor is obligated to reobtain employees’ consents.

Moreover, the PIPL requires employer to obtain “separate consent” in various occasions, including cross-border transfer, public disclosure of the personal information, provision of the personal information to a third party and processing of sensitive personal information. However, the PIPL does not clearly define what a “separate consent” is. The overwhelming understanding is that the separate consent requires a special formality in obtaining employee’s informed consent but what such special formality should be needs clarification from the law.

What are the privacy and data protection issues inherent in alcohol / drug testing?

Alcohol/drug testing is not a mandatary employment condition. The Civil Code provides that privacy refers to a natural person’s private life peace, as well as private space, private activities, and private information that he/she does not want to be known by others. The employer may only proceess the private information related to the alcohol/drug testing based on the explicit consent from the employees, unless the laws and regulations require otherwise. Where the pravicy right is infringed upon, the employee has the right to request the employer to assume the civil liability in accordance with the Civil Code and other laws. Alcohol/drug testing will trigger privicy concerns, and therefore, for cautious reason, employers shall obtain explicit written consent from employees before conducting any alcohol/drug testing.

How can I legitimately monitor employees’ email, internet usage and social media?

While Chinese law protects privacy, it has not yet clearly defined the boundary of employees’ privacy in workplace and employers’ HR management. It is a common understanding that employees have limited rights to privacy in their workplace and their employers may manage workplaces as per business operation needs including monitoring employees’ email, interest usages work laptops and etc., if they have legitimate business purposes, their management measures are reasonable and employees are duly informed and if possible, employees’ consents are obtained. One good example is that in the case of video camera monitoring, the relevant information, such as the purpose of monitoring and positions of cameras, etc., should be disclosed to employees. It is always a good practice that employers obtain the consent from employees before carrying out such workplace monitoring.

To legitimately monitor employees’ activities at work via working equipment, (i) employers may highlight in their rules and regulations that (a) working equipment is used for work purpose only; (b) working equipment and information in it are company property; (c) privacy laws do not apply to working equipment and information in it; and (ii) employees acknowledge their receipt of and agreement to be bound by, such rules and regulations.

What are the limits of using artificial intelligence in employment?

In the event of automated decision-making by utilizing personal information, employers should ensure the transparency of their decision-making and the fairness and impartiality of results and should not discriminatorily treat employees. When pushing information to the employees through automated decision-making, employers should provide options that do not target employees’ personal characteristics at the same time or offer convenient ways of rejection. Employees also have the right to request an explanation regarding the use of the personal information or refute the decision made by the employer solely based on automated decision-making if it impacts the employees significantly.

Moreover, employers should conduct personal information protection impact assessment prior to such automated decision-making in the employment.

What are the data protection issues in whistleblowing?

In practice, the internal investigation related to the non-compliance matters are often triggered by employees (usually called “whistleblower”). Employers may receive and process the personal information of the whistleblower and the involved individuals throughout the entire process of internal investigations, such as registering the report of whistleblower, asking employees/individuals involved to provide documents and explanations related to the investigations, conducting investigation. Moreover, employers may process the sensitive personal information (such as health information and finance information) during the internal investigation.

Legal basis for processing personal information in whistleblowing

The PIPL provides six legal bases for processing personal information, which are also applicable for the internal investigation. In practice, it is always advisable for employers to fully inform employees about the processing of personal information involved or likely to be involved during internal investigations and ask them to sign a consent form as early as possible. It will be difficult to obtain employee’s consent once an internal investigation has been initiated.

Collecting employees’ data/personal information via working equipment

Many employers may provide working equipment (computer, mobile phone, etc.) to employees. As discussed above, employees may have limited rights to privacy in their workplace and their employers may monitor their activities via working equipment as per business operation needs, if they have legitimate business purposes, their management measures are reasonable and employees are duly informed and if possible, employees’ consents are obtained. From this perspective, employers have right to collect employees’ data/personal information via working equipment. But it deserves continuous attention if courts may have a higher threshold when determining employers’ rights to do so considering that judicial practice relating to privacy protection is developing.

Personal information cross-border transfer in internal investigation

In multinational enterprises, internal investigations may involve the cross-border transfer of personal information. The local investigation team often needs to have discussion with and report to the compliance team at overseas headquarters to determine the background, strategy and final decision of the investigation. Or alternatively, the compliance team at overseas headquarters may carry out the internal investigation directly. The overwhelming view is that multinational enterprises transmit, from China to overseas, personal information and data they generate or collect in their operations within China will be deemed as the cross-border data transfer under the PIPL. Generally speaking, an employer may proceed with the cross-border data transfer once it can meet the following:

1. Separate informed consent: The PIPL imposes separate informed consent obligations on employer for cross-border transfer of personal information, on top of general informed consent requirements for in-country collection and use of personal information:

• The employer to inform employees of name and contact details of the overseas recipient, purposes of processing, methods of processing, catalogues of personal information and means and procedures to exercise, against the overseas recipient, personal information subject rights; and
• employer to obtain employees’ separate consent.

and

2. Prior impact assessment: The employer should conduct a personal information protection impact assessment prior to cross-border transfer of personal information.

and

3. One of the legal bases listed below: The PIPL requires employer to complete any one of the followings before cross-border personal information transfer, in addition to obtaining the separate informed consent and conducting prior impact assessment:

• prior security assessment organized by Cyberspace Administration of China (CAC); or
• certification by professional institutions of personal information protection in accordance with provisions of CAC; or
• execution of contracts, based on a standard contract enacted by CAC, with overseas recipients specifying their respective rights and obligations; or
• other conditions as required by the applicable laws and regulations or CAC.