It’s been a busy couple of years for data protection laws worldwide.

The European GDPR came into force for EU and EEA nations in 2018, and a revised UK version then came into play in 2021 following Brexit. In the US, 2020 started with a bang as the California Consumer Privacy Act (CCPA) officially kicked in, while the fall of the EU-US Privacy Shield agreement sent ripples through EU-US data flows.

Now, China has passed the Personal Information Protection Law (PIPL): the country’s first national-level personal data protection regulation. China’s new data security law came into effect on the 1st of November 2021 and prohibits the excessive collection of personal or sensitive information. Any collection of such data is limited to the minimum level necessary to fulfil a specific purpose.

While everyone in China will be affected, the PIPL will significantly impact employee data protection, meaning HR teams and businesses operating in China will have to be extra careful when handling their staff’s personal information.

What happens if businesses fall short of the PIPL?

The Chinese authorities have clamped down on penalties for anyone found in violation of the new PIPL.

Failure to comply could result in an order for rectification, plus potential confiscation of any income associated with the unlawful data processing. Any organisations that refuse this are liable for a fine of up to RMB 1,000,000 (£114,000). However, in the most serious cases, penalties of up to RMB 50,000,000 (£5.7 million) or 5% of a company’s annual turnover — whichever is higher — may be issued. Authorities can even suspend a business’ operation and cancel its permits or licences if required.

On an individual level, persons in charge of or involved in any illegal data processing are also liable for fines of up to RMB 1,000,000. Those in charge may be barred from their position of authority for a set time.

That’s the scary stuff out the way. Now, let’s take a closer look at some of the finer details of China’s new data security law and what businesses must do to ensure they remain compliant and protect their employee data…

What constitutes ‘personal’ information?

Any information relating to an identified/identifiable person is classed as ‘personal’ data. However, ‘sensitive personal’ information relates to data that can easily harm the dignity or cause severe damage to an individual if leaked or misused. Sensitive personal information includes but isn’t limited to religious beliefs, healthcare records, financial records, biometric information and location data.

Now, the onus falls on businesses to audit the data held on their employees, identify which sensitive personal information has been collected and establish whether this data is needed to operate.

How does China define ‘data processing’?

Any kind of interaction with an individual’s data is considered processing. Under Article 4 of PIPL, it can look like collecting, storing, transmitting, providing, publishing or deleting personal information.

What must businesses do to protect employee data?

The key issues covered by China’s new data protection law include consent for processing personal information, local data storage and cross-border data transfer, the rights of the data subject and the obligations of the personal information processor.

Consent for processing

The regulations cover all aspects of obtaining consent from a subject to process their data, including what amounts to valid consent, consent withdrawal, when new consent is required, and the concept of ‘separate consent’.

Businesses need to ensure they’re obtaining the correct kind of consent from their employees and are obtaining it in the right way. You should inform any employee about how their data is being used (i.e. who’s processing it, how it’s being processed, the scope of information being collected and how long it’ll be stored).

Local storage and cross-border data transfer

Any companies dealing with personal information that need to transfer this data out of China are required by the new data security law to conduct a personal information protection impact assessment.

Processors must gain consent from individuals affected — who should also be informed of the names of the receiving parties, their contact information, processing purposes, means of processing, categories of personal data involved and the ways individuals can enforce their rights under PIPL.

Organisations will also need to pass a security assessment conducted by the state cyberspace authorities.

Rights of the data subject

PIPL has introduced a series of new rights for those having their data processed. Much like the GDPR, individuals now have the right to access, obtain a copy of, amend or delete their personal information from the processor (e.g. an employee can request details of the personal information their employers hold on them). The processor is obliged to respond promptly. A close relative of a deceased data subject would have the same rights unless the deceased said otherwise while they were still alive.

Businesses should implement a mechanism that allows employees to interact with their data in this way. It’s also important to note that companies must delete personal information if:

• The purpose of processing the data has been achieved (meaning the information is no longer required).
• The agreed storage period has ended.
• The data subject revokes consent for processing their information.
• The agreement for personal information processing is violated.

Obligations of the data processor

China’s data protection law imposes several new responsibilities on any entities processing personal information. New internal management systems and operation procedures are mandatory to ensure data is processed correctly, including adopting technical security measures to guarantee its safety (such as encryption and de-identification).

What’s more, businesses are required to provide regular security education and training for any staff involved in data processing to ensure adequate response plans are in place in the event of a data breach.

Organisations must appoint a data protection officer if processing personal information exceeds a certain threshold and regular compliance audits are also required.

Sound like a headache? With such serious ramifications for falling foul of the law, these new data security laws aren’t something businesses can ignore. To minimise the risks and ensure complete compliance when protecting employee data, why not appoint a global employer of record to take care of it all for you? The TopSource Worldwide team has unrivalled knowledge of Chinese labour and data protection laws and can advise you on the best plan of action moving forward. Get in touch today to find out how we can help.