Following the promulgation of the Personal Information Protection Law of the People's Republic of China (hereinafter the “PIPL”) in November 2021, the legal systems regarding personal information protection in China have been improving gradually. It becomes an urgent task for multinational companies to review the compliance of their cross-border activities under China's personal information protection regime. We have provided PIPL compliance advice to numerous multinational companies on cross-border data processing, which enables us to understand and unscramble the practical requirement about the PIPL. Based on our experiences, we will publish 3 articles to analyze how multinational companies balance the costs and risks of compliance from the practical perspective of PIPL.
This is the first article. We will introduce in the following perspectives how multinational companies improve their compliance system under PIPL:
There is a lower risk of foreign websites being subject to the extraterritorial jurisdiction of the PIPL, but a higher risk of establishing Chinese websites and internally cross-border data flow within an international group;
In addition to obtaining individual's consent, personal information necessary for human resource management and performance of contractual obligations can also be the legal basis for collecting and processing personal information;
Performing the duty of notification when processing the data of employees;
Anonymizing personal information to avoid constituting transmission of personal information.
1. Where overseas collection and processing of personal information is subject to the extraterritorial jurisdiction of the PIPL
Multinational companies usually have multiple subsidiaries or branches worldwide. If its overseas headquarter/subsidiaries/branches process the personal information of natural persons in China’s territory (including not only PRC nationalities, but also foreign nationalities in China’s territory), which satisfies the conditions in Clause 2 of Article 3 of the PIPL, the PIPL has extraterritorial jurisdiction on such overseas subsidiaries. The PIPL applies to overseas companies under the following circumstances: (1) with the purpose to provide products or services to PRC natural persons; (2) analyzing and evaluating the activities of PRC natural persons; and (3) other circumstances stipulated by laws and administrative regulations.
We once offered advice on data compliance under the PIPL for an overseas bank in North America which provided online account opening services to PRC residents. In this matter, it is relatively unlikely that the overseas bank's collection of Chinese clients' information through its website will be determined as "analyzing and evaluating the activities of PRC natural persons", but it is highly likely that it will be determined as "with the purpose to provide products or services to PRC natural persons". Because the collection of Chinese clients' information is to facilitate more banking services to PRC residents, it should be subject to the extraterritorial jurisdiction of the PIPL.
In practice, under different circumstances, the risk of being subject to extraterritorial jurisdiction by the PIPL varies. From the regulator's perspective, we understand there is relatively little possibility and risk of triggering the extraterritorial supervision of PIPL when the collection and processing of data happened when the individuals in China access the foreign websites. However, the following circumstances may pose higher risks:
a)Setting up websites in Simplified Chinese, targeting individuals in China, and promoting the company’s product and service
Under such circumstance, the multinational companies are highly likely to be determined as an overseas personal information processor according to Section 2 of Article 3 of the PIPL because its purpose in providing products or services to PRC natural persons is highly obvious.
b)Cross-border Internal Data Flows of Multinational Companies
We once advised a European bank on information sharing between its China branch and its headquarter in Europe. In practice, there are mainly two ways for a domestic company of a multinational group to transfer personal information overseas: (1) to transfer personal information collected by it through an outsourcing agreement to an overseas server and to deliver the same to the owner of the server (which is not a member of the multinational group) for processing; or (2) to transfer personal information collected in China to a central server held by its overseas headquarter, or to use the computer system within the multinational group to transfer the data to an overseas member in the group. We understand that the second way is the information sharing method adopted by this bank between its PRC branch and its overseas headquarter. It is highly possible the data flow within the bank will be determined as a kind of cross-border data transfer and the PRC branch may be required to undertake the obligations of cross-border transfer of personal information. Such actions will be subject to the supervision of PIPL. We will elaborate in our next article what should be taken care in the cross-border transfer of personal information.
c)Large Amount of Personal Information Processed by Overseas Companies
PRC laws and regulations do not expressly define the term "large amount". By reference to Section 1, Article 9 of the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft), if the data to be transmitted abroad contains or contains in aggregate the personal information of more than 500,000 users, the network operators should report to the competent authority or supervisory department to organize a security assessment. Therefore, if the number of PRC personal information processed by an overseas company is huge (for example, over 500,000 individuals), the company may be at high risks of being subject to extraterritorial supervision under the PIPL.
2. Fully Establishing the Legal Basis for the Collection and Processing of Personal Information
When collecting or processing personal information of PRC natural persons, multinational companies should fully establish and evaluate the legal basis for such activities. Article 13 of the PIPL establishes an "inform-consent" principle for personal information processing, and provides six exemptions for individual consent. We would suggest multinational companies to pay special attention to the following:
a)Method of Obtaining Individual Consent
Audit trail shall be available for obtaining individual consent. According to Article 69 of the PIPL, the principle of liability fixation for personal information processors is "the principle of presumption of fault", that is to say, personal information processors who want to be exempted from liability shall bear the burden of proof that they are not at fault. This puts forward a higher requirement for evidence preservation for personal information processors. Therefore, in order to avoid difficulty in evidence proving of the disputes, multinational companies, as personal information processors, are suggested to make proper records and archive the procedures of obtaining individual consent, compliance audit and impact assessment on personal information protection, and to be cautious in applying any other legal basis in addition to individual consent, so as to better protect their rights and interests in disputes.
b)The Risk of Violating the PIPL Without Individual Consent is Low for the Following Legal Basis
If a multinational corporation: (i) as one of the parties to the contract, shall collect and process the personal information to achieve the purposes of concluding and performing the contract, (ii) or collect the employees' personal information for the purpose of human resource management, (iii) or collect the personal information for performance of legal duties or obligations, the individual's consent can be exempted. Therefore, if a multinational company conducts any of the aforesaid activities, the risk of violating the PIPL is relatively low even if the individual's consent is not obtained. Nevertheless, we still recommend our client to take legal advice from professionals before they adopt the above items as the legal basis.
4. To reviewing the compliance of processing employees’ data
a)Reference checks and Human Resource Management
According to Article 13.1.(2) of the PIPL, a company's collection or processing of employee's personal information could be based on the following two approaches, which do not require the employee's consent:
(i)Reference checks: Necessary for conclusion and performance of a contract to which an individual is a part
According to Article 8 of the Labor Contract Law, an employer is entitled to know an employee's basic information in relation to the labor contract, and the employee shall truthfully provide relevant information. Therefore, if the purpose of the reference check is to collect and process an employee's basic information in relation to the labor contract for better performance of the labor contract, the employer may process the employee's personal information without the employee's consent.
(ii)Human resource management: with reference to internal labor rules and regulations legally formulated and collective contracts legally concluded
In addition to the employee’s basic information mentioned in the item (i), companies may also need to collect other personal information of employees to meet the needs of human resources management, such as salary information, sick leave information, attendance information, etc. Generally speaking, companies may stipulate and publicize the collection and processing of employees' personal information in the company's labor rules and regulations formulated in accordance with the laws, but the collection and processing of such information shall be limited to the range of "necessary for human resources management". Companies shall not arbitrarily collect and process employees' sensitive personal information such as religious belief and whereabouts and tracks merely for the purpose of human resources management.
b)Content and Manner of Notification by the Employer
Under the PIPL, as an employer, a company shall, when collecting and processing employees' personal information and performing its duty of notification to employees during induction, training and other human resources management activities, comply with the following requirements of PIPL in terms of contents and manners:
(i)Companies shall inform employees of the name and contact information of personal information processor, purpose and method of processing, information types, storage period and location in a concise, transparent, easy-to-understand and obvious way.
(ii)Separate consents from the employees shall be obtained before processing employee’s sensitive personal information. Companies shall inform employees of the necessity and impact of such processing, conduct an impact assessment on personal information protection in advance and keep records of processing afterwards.
(iii)Companies shall inform employees of their legal rights and provide convenient and feasible channels for exercising such rights.
When entrusting a third party to collect or process employees' personal information, companies shall inform employees of the name and contact information of the third party and enter into an agreement with the third party on its rights and obligations such as the processing method, information types, purposes and period. Companies are also required to supervise the third party's processing of personal information under PIPL.
5. De-identification and Anonymization of Personal Information
The definition of personal information under the PIPL explicitly provides that the information of individuals before anonymization is personal information, which shall be protected by the PIPL. Article 51 of PIPL stipulates the obligations of the personal information processor to prevent divulgence, falsification and loss of personal information, including adopting corresponding technical security measures such as encryption and de-identification. Therefore, multinational companies are advised to adopt necessary technical measures regarding de-identification and anonymization of personal information if they store such information.
In a project that we participated, a Hong Kong-based bank used an identity information comparison service to help PRC customers open banks accounts in Hong Kong. In this project, although the identity information comparison service provider encrypted the comparison result during cross-border data flow, the comparison result was finally decrypted before presented to the HK bank. From our understanding, the clients' personal information was not successfully anonymized and cross-border flow of such personal information shall still be governed by the PIPL
We will continue to share our understandings in the next two articles on how multinational companies balance risks and costs under the PIPL.