In recent years, China has introduced a number of major data protection laws, including the Personal Information Protection Law (PIPL) (effective from November 1, 2021) and the Data Security Law (DSL) (effective from September 1, 2021), together with a series of implementation regulations and administrative rules. In particular, the PIPL establishes a new comprehensive regulatory framework for personal information protection in China, requiring consents as its principal basis for data collection and handling, introducing provisions with extraterritorial effect, restricting cross border data transfers and imposing significant revenue-based fines for non-compliant conduct.
These new laws, particularly in respect of requirements on the processing of personal information and cross border data transfer, will pose significant challenges for companies when conducting or responding to investigations in China, such as how they respond to a foreign government regulator’s investigation that touch parts of their China based businesses, or where they need to produce evidence in offshore judicial proceedings.
Notice and consent is required for collection and processing of personal information
A typical investigation often involves collecting, accessing and analyzing employees’ data, such as HR files, email data, cellphone data, company device data, etc. Such employee data may likely to contain personal information as defined by the PIPL, such as the employee’s name, date of birth, address, telephone number, email address, education background, employment history, etc. Under the PIPL, express and informed consent must generally be obtained from data subjects for processing of personal information.
Further, a separate and explicit consent is required if the personal information in question involves sensitive information of the data subject, such as his/her biometric recognition, religious belief, specific identity, medical health data, financial account, personal location tracking, etc., or such information is to be transferred to a third party (such as outside counsel, auditors and/or other third party service vendors) or out of China.
The requirements of notification and consent under the PIPL when collecting and processing electronic and other data from company employees will pose many logistical and practical difficulties during an investigation in China. Company and business-related data may be intermingled with personal information that the employees will seek to protect. It is also a very common practice for company employees to use personal devices for handling and communicating business data, and employees will be reluctant to agree to hand over their personal devices to allow the collection and processing of data contained in those devices during an investigation. Existing company data privacy policies, and data notices and consent forms often have no or only vague references to the possibility of employees’ data being collected and used in company-led and/or regulatory investigations.
Restrictions on cross-border transfer of data
Under the PIPL and recent administrative rules introduced since June 2022, personal information can only be transferred outside of China once certain requisite steps are completed and regulatory approval obtained, including: (i) clearing a security assessment approved by Cyberspace Administration of China (CAC); (ii) obtaining a personal information protection certification from a professional institution designated by the CAC, or (iii) entering into a standard format data transfer agreement with the overseas recipient of such data.
The overall process for facilitating the transfer of personal information out of China is complex and there is a lack of clear guidance provided under the existing rules. For multinational companies conducting investigations in China or where any offshore investigation requires access to data of China based employees, it is recommended to process and review all China related data within China using local teams or outside counsel and service providers with China based teams and thus, look to dispense with the need to transfer the subject data out of China.
Transfer and disclosure of data to foreign enforcement authorities
Article 36 of DSL provides that data stored within China shall not be provided to foreign legal or enforcement authorities unless approval is obtained from competent Chinese authorities. More significantly, this restriction on transfer and production of data appears to apply to all types of data, and is not limited to “core data” or “important data”, which are already subject to restrictions under the DSL as well as under the Cybersecurity Law. The PIPL contains an identical provision (Article 41) on prohibition of transfer of personal information to the foreign judicial or law enforcement authorities without the approval of a designated Chinese authority.
Neither the DSL nor the PIPL provides further details on the scope of this restriction or the mechanics of seeking such approval. As the DSL only took effect on September 1, 2021, to date, there has been no additional official guidance provided on how the relevant Chinese authorities will process and approve such data transfer and production. Our experience so far is that approval will need to be obtained from both the CAC and industry specific regulators. That said, the process involved lack clarity and there is uncertainty as to how long companies should allow for such approval process. In addition, the need for potential State secrets review before transferring any data outside of China will also add to the complexity of the overall process.
More implementing regulations and guidance concerning the PIPL, the DSL and other data protection laws are expected to be issued in the future. Companies with businesses or operations in China are advised to keep up with the latest regulatory developments and proactively review their compliance programs and policies of their Chinese operations to ensure that they are compliant with these laws. In the context of conducting investigations in China, companies should:
- Proactively review and update their investigation protocols, ensure data collection and process steps are compliant, and check whether existing data privacy and business data policies are sufficient to cover investigation scenarios and the transfer and disclosure of data to third parties and regulatory authorities;
- Develop tailored consent mechanisms for data collection and processing, with suitable privacy notices and consent forms and ensuring requisite consents are obtained at the early stage of an investigation;
- Establish a protocol for handling cross-border data transfer, that covers PRC State secrets and personal information review, localized data reviews, steps to seek requisite approval from relevant PRC regulators etc.