Data protectioni Basic requirements
Data privacy and data protection is an emerging area under Chinese law. There are no requirements for an entity that collects personal data to register with any government body, and there is no centralised data protection authority, other than certain industry-specific bodies, such as the Ministry of Industry Information Technology in the telecommunications sector. An employer must keep its employees' personal data confidential and must obtain an employee's written consent if the employer wants to make the employee's personal data public. Except for this general rule, there are no workplace-specific privacy laws in China that govern the ability of employers to collect, use and disclose employee personal data. Notwithstanding the foregoing, China has enhanced online data privacy protection in recent years, and relevant government authorities have passed a series of laws, regulations, guidance and standards in this regard, two of the most important of which are the Cybersecurity Law, which took effect on 1 June 2017, and the Information Security Techniques – Personal Information Security Specifications (the Personal Information Security National Standards), which took effect on 1 May 2018. Although neither the Cybersecurity Law nor the Personal Information Security National Standards specify whether the requirements provided therein apply in the employment context, employers are recommended to act in compliance with such requirements to avoid any uncertainty.ii Cross-border data transfers
Data localisation is a trend in China. The Cybersecurity Law includes a general requirement that critical information infrastructure providers (the CII Providers, the definition of which must be clarified) must store personal information and important data they collect within China. If there are business needs for CII Providers to transfer this information or data outside China, security assessments must be conducted. Owing to the fact that certain details concerning the data localisation requirement (e.g., detailed rules for security assessments) need to be clarified, it has not yet been implemented in earnest. To implement the new Cybersecurity Law, on 11 April 2017, the Chinese government released the Draft Security Assessment Measures for Cross-Border Transfer of Personal Information and Important Data, which is intended to be a major set of implementation rules for the new Cybersecurity Law (the Draft Implementation Rules). The Draft Implementation Rules require network operators planning to transfer more than one terabyte of data out of China, or network operators that have collected data on more than 500,000 data subjects, to obtain the permission of the data subjects, as well as pass self-imposed and government-run security assessments. Although the Cybersecurity Law and the Draft Implementation Rules do not specify whether the above-mentioned requirements apply in the employment context, employers are recommended to comply with them. Based on the above, it is advisable that an employer obtains written consent from the concerned employees and conducts a self-imposed security assessment before it transfers the employees' personal data out of China. Once the Draft Implementation Rules of the new Cybersecurity Law have been passed, the employer may also be required to pass a government-run security assessment if the size of the personal data to be transferred or the number of data subjects involved meets the criteria set forth in such rules.iii Sensitive data
The Personal Information Security National Standards make a distinction between general personal information and sensitive personal information. The latter is defined as the personal information that, if leaked, illegally provided or used without proper authorisation, may harm personal or property safety, personal reputation, or physical or mental health, or lead to discrimination towards the data subject. Examples of sensitive personal information include a natural person's identification card number, biometric information, bank account number, correspondence records and contents, property information, credit information, location tracking, lodging information, health and physiological information, transaction information and personal information of minors under 14 years old. Expressed consent is required to be obtained from the data subject before sensitive data is collected from the data subject.iv Background checks
There is no specific Chinese law prohibiting an employer from conducting a background check or credit check for an employee employed in China, but getting relevant and accurate information can be challenging for employers in practice. An individual's credit report is available from the People's Bank of China and the central bank of China and its local branches, but usually the individual in question must apply for the report in person. Criminal records information is available to employers as this information should be recorded on the official government personnel file maintained on all Chinese citizens who work for a company. Employers might also request an employee to provide a no-crime certificate issued by the local notary public or the police station as a condition of employment.
An employer should keep all such information strictly confidential. According to the General Principles of the Civil Law, the NPC Decision and relevant judicial interpretation, activities that publicise private data, or disclose an individual's private information, in writing or orally, without the individual's prior consent, are considered a civil injury to the employee and may constitute a criminal offence.
Generally, Chinese employers do not engage in drug testing. As a general rule, an employer would be expected to demonstrate a 'compelling interest' in screening an employee for drug use to justify any potential infringement on the employee's privacy. Nonetheless, specific rules exist with respect to certain industries where a direct connection exists between the employee's duties, and the safety and security of the employee and others.