The Personal Information Protection Law (PIPL), which is considered the first comprehensive law on personal information protection in People’s Republic of China (PRC or China), came into effect on 1 November 2021. Prior to PIPL, mandatory requirements on the cross-border transfer of personal information were outlined mainly in the PRC Cybersecurity Law, and applied only to “critical information infrastructure” (CII) operators. Many draft laws or best practice guidelines contain a variety of requirements on the cross-border transfer of personal information. However, they are either still draft laws or just recommended best practice. PIPL has adopted many of the provisions from draft legislation, as well as added new requirements, creating a more comprehensive framework of requirements for the cross-border transfer of personal information.1
Besides establishing comprehensive compliance requirements for the cross-border transfer of personal information, PIPL has also increased penalties for breaches, compared with the PRC Cybersecurity Law. If personal information is processed in violation of PIPL, a personal information processor may be subject to a variety of penalties, including a warning, an order to rectify, the confiscation of illegal income, a fine of up to RMB1 million, or, in the event of a serious violation, a fine of up to RMB50 million or 5% of the personal information processor’s previous year’s annual revenue. In addition to these penalties, if there is a serious violation, the personal information processor may be ordered to suspend or cease its business operations, or be subjected to a revocation of the relevant regulatory approvals or business licenses. Under PIPL, a personal information processor is an entity or person that independently determines the purpose and method of processing of personal information, which includes a multinational company (MNC) employer. Processing of personal information includes the collection, storage, use, transmission, provision, publication, and erasure of personal information.
Based on our current understanding of PIPL, this alert provides key takeaways for human resources management divisions of MNCs with PRC-based operations, noting the urgency for MNCs to comprehensively review their internal procedures.
Transferring Employees’ Personal Information
It is common for an MNC to centralize the management of its China operations in its regional or global headquarters outside of the PRC. In terms of human resources management, the regional or global headquarters outside of China generally collect employees’ personal information from China, which is now regulated by PIPL as a cross-border transfer of personal information.
Since the legal consequences for noncompliance under PIPL have become much more serious, it is advisable, as a start, for MNCs to take note of the following new key PIPL requirements.
Key requirements under PIPL that an MNC’s headquarters outside of China, as a foreign personal information processor, should be aware of when collecting personal information of their China-based employees are as follows
General Requirements for All Processors
PIPL provides a set of requirements that are applicable for all types of personal information processors in the context of a cross-border personal information transfer, which include:
- Human resource management policies: In general, the cross-border processing should be necessary for carrying out human resources management under a legally established employment policy and a collective employment contract entered into by an employer. Under the PRC Labor Contract Law, the formulation of employment policies which have an impact on employees’ interest does not require the consent of employees but should be done through due procedures, such as consultation with employee representatives, public announcement of the policy, or notification to employees.
- No less protection than PIPL: Foreign personal information processors that receive personal information shall take all necessary measures to ensure that the personal information is processed and protected by them in a way that is not below the PIPL standards.
- Data protection impact assessment: A prior personal information protection impact assessment is required before a cross-border transfer of personal information occurs.
In the event that the cross-border collection and processing of personal information is necessary for business purposes other than human resources management, separate notification to and consent of China-based employees are required.
Local Storage Requirement for Specific Processors
Among the general requirements that are applicable for all personal information processors, local storage requirements of personal information are applicable for CII operators and those processors whose processing of personal information reaches the threshold amount prescribed by the Cyberspace Administration of China (CAC). They shall store the personal information collected or generated from China within the territory of the PRC. Where it is necessary to transfer such personal information to an overseas recipient, they are required to pass a security assessment organized by the CAC.2
Requirements for Other Processors’ Cross-Border Collection
Personal information processors that are not subject to the local storage requirements are required to meet one of the following conditions:
- conclude a cross-border data transfer contract with the foreign recipient in accordance with standard contractual clauses formulated by the CAC; or
- go through a personal information protection certification conducted by a professional institution in accordance with regulations of CAC.
Specific Requirement for Sensitive Personal Information
PIPL and other guidelines categorize certain personal information as sensitive personal information, such as employees’ facial features, fingerprints, health conditions, bank account information, ID card, etc. Sensitive personal information includes personal information of a person under the age of 14. Accordingly, any information concerning an employee’s young family members must be processed with care. The processing of sensitive personal information is subject to a higher standard, especially in a cross-border context. When an MNC outside of China collect their China-based employees’ sensitive personal information, they should note the following requirements:
- there should be a specified purpose and sufficient necessity, and strict security measures must be adopted; and
- the employee must be notified of the specified purpose, the reason of necessity, and the impact on his/her rights and interests.
In the event that the processing of the relevant sensitive personal information is sufficiently necessary for a business purpose other than human resources management, a separate prior consent from China-based employees is required.
China-based Representative or Agency
According to PIPL, when a foreign personal information processor processes personal information of individuals residing within the territory of China for the purpose of analyzing and assessing the behaviors of such individuals, it is required to appoint a special agency or a representative in China (i.e., a China-based representative or agency) to be responsible for personal information protection-related matters. Because assessment review is part of human resources management of a company normally, whether foreign regional or global headquarters should have a China-based representative or agency designated for personal information protection in this context is subject to clarification in practice.
Notification to Individuals in Specific Events
Where a China entity employer or even regional headquarters of an MNC needs to transfer personal information of China-based employees due to merger, division, dissolution or bankruptcy, it shall inform the China-based employees of the name and contact of the recipient.
Blacklist of Foreign Personal Information Processor
Under PIPL, if a foreign personal information processor infringes on the personal information rights and interests of any Chinese citizen, or endangers the national security or public interests of China, it could be blacklisted by the CAC and restricted or prohibited to further collect personal information from China. Whether and to what extent this provision is applicable to foreign regional or global headquarters’ processing of personal information of their China-based employees is an open question.
We expect additional important developments with respect to PIPL in the months to come and will keep you informed of significant changes. Should you have any questions or concerns about PIPL or other legal developments in China, reach out to our China-based lawyers.