Employees in China now enjoy strict legal protections for their privacy rights, especially as to data protection. the China Personal Information Protection Act provides a comprehensive data protection regime for individuals, and the government has been continually increasing the intensity of enforcement. Unlike in American state data protection law which is limited to just consumers, employees in China are also a protected as a data subject. Moreover, they are an internal, data subject, meaning their subordination and dependence to the business afford them special concern.
Thanks to recent changes in the law, approaching Chinese employee privacy from the perspective of typical HR practices and employment law will result in violating privacy law. This article inspects the compliance issues and provides guidance on how employers can comply with the law while running their business effectively.
Contents
Typical HR Activities that Conflict with Privacy
China Employee Privacy Legal Protections
Regulatory Penalties Are Severe
Typical HR Activities that Conflict with Privacy
Human resources managers in China say they have an ever increasing need to process employee data, driven by industry requirements, employee type, function, and workplace policies, mainly with the intention of improving worker efficiency. Employers need to collect employee information for a wide range of purposes including security, operations, benefits management, and compliance.
Ideally, your staff will not object to you collecting and processing their personal data, but things are rarely that easy. The parties’ interests are not aligned, and Chinese workers are often unwilling to sacrifice their personal privacy in order to cooperate with employer’s needs.
Business processes could be seriously disrupted if employees refuse to cooperate or exploit loopholes in the process. In China, conflicts over personal information in employment tend to be concentrated in the attendance and investigations contexts.
Attendance. Non-sensitive attendance information such as employee work hours and clock in and clock out times does not raise a concern. But common Chinese management techniques can raise several issues:
- Using facial recognition or fingerprints to prevent fraud when employees clock in or clock out, which is deemed sensitive personal information.
- Using location tracking at work sites to verify attendance for people working outside the office, such as salespersons and field technicians.
- Using location tracking for workers suspected of faking sick leave to see if they are moonlighting or traveling, thus verifying they are actually sick.
- During pandemic conditions, employees wear wristbands that track their location to see if they have come into contact with infected persons.
- When verifying maternity, paternity, or parental leave requests, asking employees to provide information about those plans.
Internal Investigations. Managers in China routinely need to collect evidence related to breach of contracts or policy violations or verify information about an employee, investigating facts both internally and externally. Typical use cases are pre-hire employment screening, disciplinary violations, and post-employment noncompete compliance. During pre- and post-employment investigations, individuals who could face a potential legal dispute are generally resistant to providing access to their personal data. These activities often include:
- Employee personal bank transaction records are relevant to whether they received kickbacks from a vendor, and thus the employer demands the records.
- The employer is recording conversations with an employee as evidence.
- The employer records employee conversations without their knowledge as part of evidence collection activities.
- In order to enforce a non-compete provision, the employer videotapes terminated employees as they are traveling to and from work for a competitor.
China Employee Privacy Legal Protections
The Chinese government is increasingly emphasizing personal information protection as seen in new laws in the China Civil Code and the China Personal Information Protection Act, which has restricted and even obstructed employer collection and use of employee data. Data protection and personal privacy are often implicated by human resource management activities in the form of employee data processing restrictions.
Employee privacy and legal rights. The Civil Code defines privacy as encompassing a person’s right to not be disturbed and for other people not to know of their private space, activities, and information. Privacy rules apply to private information with priority, otherwise data protection rules apply. Privacy and data protection are different legal concepts that have some overlap.
Privacy constitutes a fundamental right of the person and violating it is a tort unless there is a statutory defense, with the elements of tortfeasor’s wrongful subjective intent, wrongful act, actual damage, and proximate cause.
Collecting excessive personal information about an employee without their consent can amount to an invasion of privacy under Chinese law. A problem for employers is that judicial precedent on what is “excessive” is inconsistent, with some courts vigorously supporting employee right to privacy, and others siding with employers, so employers should be particularly cautious when analyzing whether a data collection practice could violate employee privacy rights.
Lawful Basis Exceptions. The Act provides a lawful basis for “practices necessary for human resource management under employer policies in accordance with law and collective bargaining contracts.” What is covered for the legal basis as “necessary for human resources management” has been a subject of debate, so you need to analyze it thoroughly, considering the who, what, and how data is processed.
Subject Matter. The China Employment Contracts Act allows employers access to basic information on employees that is “directly related to the employment contract.” This exception is actually very narrow with explicit statutory coverage only for the employee’s name, address, and government identification number. Courts have provided a little more leeway in some cases.
In the Li case in Shanghai, the court held that information relevant to employment requirements could also include the employee’s work history, education, age, and health. There is a question as to whether information sought by larger companies or more sophisticated HR software that includes employee children and family contact information is relevant to human resources management. There are more aggressive human resources practices such as pre-employment background checks and internal compliance investigations which in many cases are highly doubtful.
Processing Activity. Even if the subject matter of the personal information is acceptable to collect, the manner in which you process it may be prohibited.
The reason is the China Personal Information Protection Act imposes a heightened separate consent requirement when processing personal data in a way that could impair the data subject’s rights, particularly when involving sensitive information, public processing, cross-border transmission, and provision to third parties.
When the Act was still new, there was speculation as to whether the statutory human resources exception could enable organizations to be exempted from the separate consent requirement by using. Now, it is generally agreed that there is no such exemption because the separate consent requirement is focused on the data processing activities described above, which are not relevant to how most organizations manage their workforce.
Therefore, employees with these needs should choose a conservative strategy, that is, use the notice and consent legal basis to be in compliance with the Act.
Applicability. The Act requires such data processing to be “necessary for human resources management” and to follow all “lawfully prepared” employee policies and collective bargaining agreements. Lawfully prepared means that the employee policy provisions are made pursuant to the China Employment Contracts Act, drafted following an inclusive negotiation process and with workplace notices subsequently posted. A collective bargaining agreement must be prepared following a meeting between management and the union with participation from the government labor regulatory agency.
Interns & Gig Workers. Give consideration to whether your employee policies are applicable to formal employees such as retirees returning to do some work, or to interns.
What usually happens is that the employer will include contract provisions in agreements for gig workers or interns stating they will be bound by the organization’s policies. While it’s true that the majority of workers will accept this type of provision, but nonetheless they do not reflect a true meeting of the minds by the parties, instead they reflect generalized consent by gig workers or interns to accept the company policy, but human resources policies will not necessarily apply to gig workers. Given these considerations, employees should minimize data processing compliance risks by using informed consent as their legal basis instead of relying on the human resources management basis, which is a more conservative approach.
Employee Data Subjects Rights
The China Personal Information Protection Act provides employees with broad rights as data subjects, spanning rights to delete and access data, and receive an explanation about the rules for processing personal data. These rights necessarily restrict was business human resources managers can do. While there are limits on employees’ personal data rights, those limits are vague. For example, in an employment dispute they may exercise their data rights during an employment arbitration, which can complicate the employment dispute resolution process.
Using layered compliance requirements if done reasonably can enable human resources managers to collect employee personal information for the organization with their effective consent. Nonetheless, this special legal basis can never exempt a business from the Act.
The Act imposes the fundamental principles of legality, legitimacy, data minimization, and trustworthiness, but as data controllers, employers must also comply with several technical and administrative requirements for notice, impact assessments, and internal controls.
Duty to Notify. Unless another Chinese statute or regulation imposes confidentiality, requirements or relieves a party from notice obligations, providing personal data processing policy disclosures to employees is mandatory even when processing is not based on the notice and consent process. In these cases, employees must be informed about the categories of personal information collected, the retention period, and about the mechanisms available for exercising data rights.
Data Protection Impact Assessments. The Act requires a DPIA to be done in the following contexts:
- Processing sensitive personal data
- Automated decision making
- Contracted data processing
- Providing data to another controller
- Transmitting data outside of China
Employers are likely to encounter one of these use cases as they increase the scale of their employee data processing operations. Data Protection Impact Assessments require involvement of several teams, typically HR, IT, compliance, and legal, along with an outside law firm counsel. The process is both necessary and resource intensive.
Internal Management and Security Policies. The Act requires data controllers implement an internal management policy and programs such as access restrictions and work instructions, and to have a comprehensive program for encryption and deidentification. As employers increase the scale of their China employee data processing operations, they will need to establish an increasingly comprehensive compliance program with cybersecurity policies that can ensure they are in control of data processing and can ensure its security. Thus, employers should balance the expected gains from scaling up employee personal data processing against the expected costs of compliance.
Regulatory Penalties Are Severe
Employers who unlawfully collect or process employees’ personal information could be sued in China by that employee or another party in interest. The Act authorizes regulatory penalties and fines to enforce personal data processing requirements on all organizations. In the case of ordinary violations, the government agency will issue a corrective action order to the data controller for the offending conduct, and confiscate gains derived from the violation. Failure to comply with the corrective action order can result in a fine up to RMB ¥1,000,000. In the case of severe offenses, the controller can be fined up to RMB ¥50,000,000 or up to 5% of their annual revenue.
Currently, employers are unlikely to receive penalties for severe offenses under the Act on grounds of mishandling employee or other internal parties’ personal information. Nonetheless, the Chinese government imposes significant penalties for even ordinary violations, therefore employers should evaluate the potential legal risks involved with collecting or processing such data.
Compliance Recommendations
The above discussion reveals there is an inherent tension between human resources management and employee data protection in China. However, organizations can balance their HR needs against data protection requirements and control their legal risks by considering the two following practices.
Employers should look at how they are incorporating the legal basis for notice and consent reasonably in their human resources compliance documents, especially by making the necessary amendments to their employee handbooks, contracts, privacy policies (and implementation), and consents.
Management should quickly set up compliance programs, updating their internal management policy, setting up data processing rules for employees and third-party partners, and adopting a Data Protection Impact Assessment process. Doing so will make it easier to respond to questions from employees and possibly government agencies about your organization’s compliance.
FURTHER READING