China: New Data Protection Legislation Has an Impact on Employers

China: New Data Protection Legislation Has an Impact on Employers

As part of Chinese government’s effort to build a modernized data protection legislation regime, GB Standard, titled “Information Security Technology - Personal Information Security Specification”, becomes effective on May 1, 2018. 

This is the latest, but definitively not last piece of a series of regulatory documents that were driven by China’s new Cybersecurity Law, and there is no doubt that the employers in China have begun to feel its pressure.

Under the data protection legislation, personal information is defined as any information that can be used on its own or in conjunction with other information to reveal the identity of a natural person, including the person’s name, date of birth, I.D. card number, biological identification information, e.g. fingerprints and irises, address and telephone number, etc.

Considering this definition, basically, all employers will be involved in the collection of information that would be categorized as personal information from its respective employees from as early as the recruiting stage, and now, this usual practice, i.e. the collection of employee’s personal information, and its use, storage and transmission, especially cross-border transmission, all come under the regulation of the data protection legislation.

We comment below on certain personal information protection issues that all employers shall pay attention to.

① Information Collection at Recruiting Stage

Despite the employer has a right to know its employee, there is no doubt that the first rule of information collection is that it must be consensual. One worth-mentioning example is that a company will frequently commission a third-party investigator to conduct a background check of a candidate for a senior management position. It is important that the recruiting company should obtain the written consent of such candidate prior to the background check.

Another issue is that the scope of the personal information collected should be determined on the principle of necessity. This means in an employment relation, the employer should only collect the information that has a direct connection with the employment contract, such as age, gender, qualifications, experience and some other information which is necessary. The employees or any potential candidate should have the right to refuse to give personal information that has no direct connection with the work.

② Workplace Surveillance

It is not uncommon that some companies will surveille the employee’s work email, work laptop, the local network area and the workplace, etc. According to the basic principle of Chinese Labor Law, employer has the right to supervise the employees and workplace surveillance could be regarded as part of such supervision.

However, as personal information would be collected during this process, the data protection legislation would require that such surveillance should follow the principles of necessity, openness and informed consent. One good example is that in the case of video camera surveillance, the relevant information, such as the purpose of the surveillance and the location of the cameras, etc., should be disclosed to the employees.

③ Storage and Cross-Border Transmission

For multinational companies, it is a common practice that the personal information of an employee would be filed to a global human resources management system, such as EHRs, which is frequently hosted on a server outside of China. Such practice will involve in essence a cross-border transmission of personal information, which is caught by the data protection legislation.

The default rule is that personal information must be stored within China. It can only be transmitted out of China for some legitimate reasons. The employer should disclose the purpose, scope, content, recipient and other relevant factors of the cross-border personal information transmission to the employee and obtain his or her consent. 

Furthermore, as part of the compliance requirement, the employer should also conduct an internal security evaluation about the risks associated with cross-border transmission and overseas storage in order to ensure the safety of these personal information. 

However, unfortunately, not many MNCs have upgraded their standards up to the requirement of the data protection legislation, some of which are not even aware of the existence of such requirement, which would create a huge compliance risk.