Data Protection and HR Considerations in China for Technology Companies

August 14, 2023

From educational backgrounds to medical and bank account information, the collection of personal data is often required by human resources (HR) departments. As the data protection regime in China continues to evolve, so too do the individual privacy rights of employees, which can be an acute consideration, particularly for multinational technology companies operating in the country.

There are three key laws in China that form the foundation of the legislative approach—the China Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL)—that may significantly impact the HR practices of tech companies in the country.

For technology companies in particular, flexible working arrangements, frequent use of electronic devices, and the use of ephemeral messaging apps, such as WeChat, in China present data privacy risks, as does the use of personal devices or accounts for business purposes when working from home and printing and disposing of printed materials at home or in other locations, such as coffee shops and hotels.

Our lawyers provide an overview for employers to help address key data privacy risks that may arise when handling employee data, including recent cases addressing the permissible scope of using personal data that is collected by the employer and the recently issued standard contractual clauses (SCC) for the cross-border transfer of personal information.

Collecting Employee Data: Recent Cases and International Considerations

In the rapidly developing area of law related to the use of employee data to protect trade secrets and conduct employee investigations, recent cases in China have shed light on the likely future approach of Chinese courts.

A Beijing appellate court recently rejected an employer’s ability to use—without the employee’s informed consent—deleted WeChat data from a company-issued device in a legal proceeding to support the termination of the employee’s employment contract by demonstrating misconduct. The Beijing court’s ruling is similar to that of a Shanghai court in an earlier case from August 2021.

While the individual courts’ attitudes may vary, the recent decisions and opinions of the Beijing court suggest a heightened risk for collecting personal information without obtaining employees’ express consent, even from company devices. Courts are likely to evaluate the legality, legitimacy, and reasonableness of the personal information–processing activities when determining the lawfulness of the collection and use of the data.

International recordkeeping requirements often also apply to a multinational company’s business operations in China, which adds additional complexities when managing and accessing personal data in China and then transferring that data out of China.

For example, the US Department of Justice’s (DOJ’s) guidance on ephemeral messaging applications issued in March 2023 provided that companies should implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms.

It is therefore prudent for companies to review their policies and employee practices and put in place mechanisms to ensure compliance with data protection and recordkeeping laws in China and other relevant jurisdictions as soon as practicable. If the company finds itself in a DOJ-led investigation and has not produced communications from these third-party messaging applications, the DOJ officials will consider “the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.”

It is often too late for a company to establish effective data protection policies in China once it is already facing an investigation from the government, particularly if the relevant data is available only on an employee’s personal device within China.

Cross-Border Transfer of Employee Data – November 30 Deadline for SCCs

There are a number of requirements under Chinese law for the cross-border transfer of data. Most recently, China issued the SCC template and its governing regulation (the SCC Measures), which became effective on June 1, 2023. The China SCC template and SCC Measures contain similar requirements to those under the European Union’s General Data Protection Regulation.

The SCC is an agreement between the data handler and the recipient relating to the handling, storage, and deletion of data, among other areas, under the context of cross-border transfers of personal information.

The standard terms of the SCC cannot be changed, and supplemental provisions are only permissible if they do not conflict with the standard terms. There is currently a six-month grace period, with a deadline of November 30, 2023, for data handlers engaging in cross-border data transfer activities—which are not subject to a Security Assessment—to comply with the requirements under the SCC Measures and/or the PIPL.

For more specific details on what filings are required and what additional channels there are to transfer personal data lawfully out of China, please see this report.

Common Misperceptions

There are several misperceptions about the cross-border transfer of employee data. Employee consent is not always required for the cross-border transfer of personal information, due to some limited exceptions under the PIPL. For example, consent is not required when the data is necessary for HR management in accordance with valid company policies and collective contracts or when handling publicly available personal information within a reasonable scope.

Another exception is for anonymized information. It is important to note that de-identification is not sufficient—de-identified personal information may still be used to identify relevant natural person(s) with the aid of additional information. Therefore, personal information must be fully anonymized (meaning the personal information is handled in a way in which it is impossible to identify relevant natural person(s) and the anonymized information cannot be recovered) to qualify for this exemption under the PIPL.

Key Takeaways

  • Deadline: November 30, 2023 is an important deadline for data handlers that are not subject to the Security Assessment to comply with the requirements under the new SCC Measures and/or the PIPL for cross-border transfer of personal information.
  • Determine the Appropriate Channel: Signing the SCC is only one of the channels for lawfully transferring personal information out of China. It is important to determine the appropriate channel for the personal information transfer based on the circumstances.
  • Various Requirements and Steps: The SCC channel entails more than just signing a contract—there are various required steps to ensure compliance.
  • Ongoing Process: It is important to monitor any changes to your company’s practices around the cross-border transfer of personal information and take necessary steps to reduce the risks of an unlawful transfer, such as by obtaining separate consent and signing or re-signing the SCC to ensure compliance.

If you are interested in How Tech Companies’ HR Practice May Be Impacted by Recent Data Protection Legal Developments in China, as part of our Technology Marathon webinar series, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.

Read more about data privacy and data transfers in China >>