By K. Lesli Ligorner and Ying Li, Simmons & Simmons, (Shanghai)
Some recent cases involving the sale of personal information have catapulted the topic of data protection laws into the spotlight. Namely, one U.S. multinational in particular was raided by the PRC government and its employees were charged with criminal violations for collecting personal data of individuals from banks, insurance companies and government agencies, amongst others, allegedly through means such as public and commercial bribery, and selling or disclosing that data to third parties.
Currently, there is no single, comprehensive data protection legislation in the PRC despite draft regulations, the Personal Information Protection Measures, which were published in 2005. Rather, there is a patchwork of sector-specific and national laws such as the Service Outsourcing Business by Domestic Enterprises Provisions, PRC Tort Law, amendments to the PRC Criminal Law, and the Decision on Strengthening Protection of Network Information passed by the Standing Committee of the National People’s Congress《全国人大常委会关于加强网络信息保护的决定 》(issued and effective as of 28 December 2012), to name a few, which provide piecemeal data privacy protection in the country and a benign administrative regulation relating to employer's holding employees' personal data.
In terms of personal data protection in the employment law regime, going back to January 2008, the Regulation on Employment Service and Management specifically requires employers to keep employees’ personal data in confidence and to obtain employees’ written consent before publishing their personal data. There are no published consequences or penalties for noncompliance.
Meanwhile, in light of the lack of comprehensive personal data protection legislation at the national level, many provinces in the PRC have implemented or are considering implementing their own personal data protection regulations. Last January, Jiangsu Province was the first local jurisdiction to enact data protection regulations, which are comprehensive and include significant penalties for noncompliance. According to the Jiangsu Regulations, employers must disclose to their employees the purpose of their data collection and obtain the consent of their employees in relation to the proposed use of the collected data. Also, data collected may only be used for the purposes for which it has been collected and cannot be sold or disclosed to third parties. Potential penalties for breach of the Jiangsu Regulations include administrative fines of up to CNY500,000 as well as seizure of illegal proceeds and criminal penalties.
Recently, the Ministry of Information and Industry of China has issued new data protection guidelines, entitled “Information Security Technology – Guidelines for Personal Information Protection within Information System for Public and Commercial Services” (“Guidelines”). The Guidelines came into force on 1 February 2013. They apply to all entities in the PRC, except certain governmental bodies, but have no force of law. Rather, while the Guidelines are not binding, all relevant organizations and entities are encouraged – and expected – to follow them as a matter of best practice.
The Guidelines provide general guidance on protecting personal information handled in information systems, which include computer systems and the personnel who operate the computers, and do not specifically regulate employee data privacy issues. Nonetheless, the Guidelines will impact employers that currently do not have any formal policies or business practices relating to the collection, use, processing, transfer, retention and erasure of their employees’ personal information. Specifically, the Guidelines impose an obligation to obtain consent of the relevant employees whose data is being collected.
Scope of Application
The Guidelines apply to all organizations and entities that handle personal information through information systems, which include any type of computer systems (which is defined broadly to include computers, mobile communication terminals and associated equipment and facilities, including the Internet). Government bodies which exercise public administration functions are excluded.
· Sensitive and General Personal Information
“Personal information” is defined as being either sensitive personal information or general personal information. Sensitive personal information refers to personal information which will have an adverse effect on the data subject if it is disclosed or amended without consent. Sensitive personal information may include a data subject’s PRC identification number, mobile phone number, race, political views, religion, genetic information and biometric (fingerprint) data. The Guidelines further provide that some information may qualify as sensitive personal information depending on the industry at issue and based on the intention of the data subject. Presumably, based on the abstract wording of the Guidelines, this could mean that data which might not qualify as sensitive personal information when released to coworkers within an employing entity, such as the employees’ personal mobile phone numbers, may be deemed “sensitive personal information” if those numbers are disclosed to third parties for impermissible or previously undisclosed purposes.
General personal information refers to all other information which is not sensitive personal information, and could effectively mean any type of data relating to an individual.
The definition of “personal information” under the Guidelines is defined rather broadly as compared to the definition of personal data in other jurisdictions. While this obviously affords a high degree of data protection to individuals, it is likely to prove challenging and costly for businesses who are expected to identify at the outset the types of data which fall under the framework of the Guidelines, and for which consent must be obtained before such data is used or transferred to affiliated entities outside the PRC, for example.
· Express and Tacit Consent
Express consent is required when collecting a data subject’s sensitive personal information or when transferring a data subject’s sensitive personal information outside the PRC. This means that the data subject must give unequivocal consent to the use of his/her data for the purposes for which it is collected by the data user, and if required, a data user must be able to evidence such consent. In the employment context, to establish unequivocal consent in the PRC, employers should obtain the written consent of the relevant employees (the data subjects).
Tacit consent means that the data subject will be deemed as having given consent to the collection of general personal information if he/she does not object expressly. If a data subject expressly objects to the use of his/her data for any particular purpose, then a data user is required to cease using such data and to erase it if it is no longer required for the purpose for which it was collected.
· Collection of Personal Information
Personal information must only be collected for specific and legitimate purposes. Prior to collection, the data subject must be notified of the following in a form and manner which is easy for the data subject to understand:
(1) Purpose of collection;
(2) Means of collection, specific data to be collected and retention period of the data collected;
(3) Scope of use of the personal information, including if the data is to be shared with any third party;
(4) Measures adopted by the data user to protect the personal information;
(5) Contact details of the data user (e.g. name, address and other related contact information);
(6) Possible risks for the data subject in providing his/her personal information;
(7) Possible consequences for the data subject if he/she refuses to provide the requested personal information;
(8) Response channel for the data subject to communicate any complaints to the data user; and
(9) Whether the personal information will be transferred to third parties, and if so, purpose of such transfer, specific types of data to be transferred, scope of use by the third party, and the third party’s contact information.
If personal information is to be transferred to a third party for processing, then the data user must obtain the data subject’s prior express (written) consent before any such transfer. Such consent must, at a minimum, identify the third party by name and address as well as the scope and purposes of the transfer.
This will be of specific relevance to businesses which engage third party data processors (e.g. payroll agents, IT services suppliers, outsourcing service providers, etc.) as they will be required to inform data subjects whose personal information has been transferred to such third parties and obtain their consent in order for such third parties to continue using their personal information.
Further, while data processors located within the PRC are subject to the Guidelines, the Guidelines do make it incumbent on the businesses to ensure that data processors comply with the Guidelines and can do so by procuring their compliance in writing (by contract, for example).
· Transfer outside the PRC
No personal information can be transferred outside the PRC unless the data subject gives express consent, PRC laws or regulations expressly permit, or the responsible governmental authority approves such transfer.
This will have a significant impact on businesses in certain sectors (e.g. financial services, insurance services and conglomerates) which may have data residing with overseas affiliates, offshore data centers or in the ‘cloud’. The Guidelines appear to be more restrictive in this respect than other jurisdictions such as the EU which permit overseas transfers of personal data so long as the transferee’s jurisdiction affords equal or adequate protection.
The Guidelines require personal information to be deleted as soon as it is no longer required for the purposes for which it was collected. If continued use or processing is necessary for a different purpose and it involves the data subject’s sensitive personal information, then the data subject’s express consent must be obtained before any such use or processing.
While not binding, the Guidelines seek to plug some of the loopholes in the current vacuum of personal data protection in the PRC. Nonetheless, because they are meant to apply to commercial data handlers as well as employers, they appear to create some unique and significant administrative challenges to those employers who try to comply fully with them. For example, at the recruitment stage, an employer may not be able to identify for a job applicant all third parties which may receive the applicant's sensitive personal data with the specificity required in the Guidelines. Moreover, unlike in virtually every other jurisdiction which has enacted comprehensive data protection laws, where there are exemptions which ease the administrative burden of having to notify data subjects of every single disclosure of sensitive personal data to a third party, the Guidelines contain no exemptions or exceptions for employers' handling of employee data in the context of transfers to parent or affiliate entities within or outside the PRC, the use of third parties to screen employee complaints, the use of external accountants and payroll providers or other broad functions of human resources.
Finally, while the Guidelines do not have the force of the law, they provide a useful window into the likely content of more comprehensive data protection laws which we anticipate will be enacted in the PRC. Accordingly, it would be prudent for employers to carry out employee data protection audits and assess the impact of compliance with the Guidelines. Employers should also consider putting in place a means to obtain express written consent from current and future employees for transfers of sensitive personal data outside the employing entity. Employers should consider implementing such means sooner rather than later in order to minimize the disruption in future business operations before legal consequences may attach for the unauthorized transfer of sensitive personal employee data.