The implementation of the Personal Information Protection Law of the People’s Republic of China (hereinafter referred to as the “PIPL”) has started a new chapter for privacy protection in China. The PIPL provides clear rules on the processing of personal information, comprehensively protects personal rights, and brings a profound impact on production and personal lives. It also puts forward higher compliance requirements for companies’ operation and development. 

From the perspective of compliance investigation, personal information may be processed throughout the whole process, such as retrieval of information from employees’ electronic devices, disclosure of investigation content to third parties (professional institutions or government authorities), information sharing with the overseas headquarters of multinational companies, and application and publication of investigation results. Personal information involved in compliance investigation is diversified and often sensitive. Anti-corruption investigations, for example, often involve bank accounts, transaction and reimbursement records, and whereabouts of employees.

Complexity means more challenges. This article will address some common issues that companies may encounter in their compliance investigations and discuss compliance actions.  

Author：Shihui Partners | Chang Liu | Hongyuan Zhang

1. What are the statutory bases under the PIPL for the processing of employees’ personal information in compliance investigation? 

Article 13 of the PIPL sets out seven statutory bases for personal information processing. If a company can fit into any of the seven statutory bases, it may process personal information of its employees. As far as compliance investigation is concerned, the following two statutory bases may be the most frequently used ones:

Obtaining individuals’ consent

Before the promulgation of the PIPL, obtaining individuals’ consent was the primary basis for companies to process personal information of their employees. Despite the fact that the PIPL provides for other statutory bases, obtaining individuals’ consent is still the most frequently seen basis to ensure the compliance of personal information processing. 

Due to the confidential and confrontational nature of compliance investigation, obtaining employees’ consent after the commencement of investigation is often very difficult. Companies may consider preparing in advance. For example, companies may inform employees that their personal information may be processed in compliance investigation and the type of information, processing methods and other statutory matters at onboarding, and it is always recommended to obtain the written confirmation of employees. In a specific compliance investigation, companies may consider whether it is necessary to obtain employees’ consent again considering to the actual processing activities when carrying out the compliance investigation. 

However, note that if a company solely relies on an employee’s consent as the statutory basis for processing, it needs to consider the options when the employee’s consent is withdrawn. Therefore, it would be safer for companies to simultaneously invoke other statutory bases (see below) where individuals’ consent is not required. 

Necessity of HR management

In the context of employee management, in addition to obtaining individuals’ consent, companies may process personal information of employees if it is “necessary for implementing human resources management in accordance with internal policies formulated in accordance with the law and collective employment contracts concluded in accordance with the law” (hereinafter referred to as “HR management”). Currently, there is no clear guidance on how to tell if a compliance investigation is within the scope of HR management, and since the PIPL has only been implemented for a short period, there is also a lack of guiding opinions from judicial practice. 

At the current stage, companies may consider reasonably detailing the scenarios and rules on the processing of employees’ personal information in their internal policies and complete the consultation and publicizing procedures as required in the Employment Contract Law. Meanwhile, companies should prudently determine the scale for processing employees’ personal information in compliance investigation taking into consideration specific circumstances, and the principles of necessity, legitimacy and minimum scope as required in the PIPL should be followed. 

In addition to the above two statutory bases, in some circumstances, companies may use “processing within a reasonable scope personal information already disclosed by an individual or other personal information that has been legally disclosed” as stated in Article 13 of the PIPL as the statutory basis for processing employees’ personal information in compliance investigation. For example, companies can track employees’ incompliant concurrent employment status with another employer which is in violation of internal policies based on the registration or qualification information publicized on the Internet or the employees’ statements on WeChat’s Moments or on other public occasions.

Work devices

In compliance investigation, a typical practice is to carry out a search of work devices held by employees in order to locate evidence, which is actually the extension of companies’ daily monitoring of employees’ devices. Under the framework of the PIPL, a feasible solution to ensure the compliance of the practice is to include the processing of personal information stored on employees’ work devices for the purpose of compliance investigation as part of the scope of HR management and it should be made clear in internal policies. 

In a case widely discussed last year, a company exported part of the call recordings from an employee’s work mobile phone through data recovery, in which the employee said that he is planning to steal the company’s order by assigning it to another company. The company requested the employee to compensate for the losses suffered accordingly. However, the court held that the recordings cannot be admitted as evidence in that the company did not explicitly inform the employee of its right to record the calls and recover call data, and that the company failed to obtain the employee’s consent. The court therefore dismissed the company’s claim. 

Although the judgment of this case was published before the PIPL came into force, it still serves as an important reference point for companies to investigate employees’ work devices. Clarifying the companies’ rights to work devices in advance in internal policies or obtaining employees’ consent may provide strong support for the legality of relevant evidence. At the same time, it is also necessary for companies to specify in internal policies that work devices should only be used for work purpose in order to reduce the chance of involving too much personal information that is not related to work in investigation. 

Personal devices

Under special circumstances, companies may investigate employees’ personal devices, such as personal mobile phones. However, it is generally difficult for investigation of employees’ personal devices to be considered compatible with the principle of reasonableness and necessity under the PIPL and it may exceed the limit of HR management. As such, companies usually should obtain employees’ explicit consent in advance. 

If a company needs the assistance of third parties such as accountants and lawyers for compliance investigation, it cannot avoid sharing employees’ personal information with these third parties, which may further process employees’ personal information. Commonly seen scenarios include third parties’ participation in investigation and assisting companies with analysis and discussions as such. 

According to the PIPL, in the above situation, companies should inform employees in advance of the recipient’s name, contact information, processing purpose, processing method and the categories of personal information, and obtain employees’ separate consent. If the transmission of employees’ personal information during compliance investigation accords with HR management requirements, it will be necessary to specify the arrangements in internal policies or collective contracts and clarify the purpose and methods of processing and types of personal information and so on. 

If the collaboration with third parties involves joint processing or authorized processing as defined in the PIPL, companies should also fulfil corresponding obligations according to the specific scenarios, such as agreeing with the third parties on rights and obligations in personal information processing activities as well as supervision of such processing activities. 

A multinational under globally integrated management is often required to report investigation results to its overseas headquarters. This involves not only transmission of information from domestic companies to the overseas headquarters, but also complicated situations such as the overseas headquarters’ directly accessing the data in the domestic systems, and the server receiving personal information being set up overseas which would cause spontaneous cross-border transmission of personal information. 

To ensure the compliance of cross-border transmission of personal information, companies generally need to explicitly inform individuals of the relevant statutory matters and obtain individuals’ separate consent. As to whether this behavior falls within the scope of HR management, opinions vary in practice. At this stage, considering the sensitivity of cross-border transmission, we recommend that companies can consider adopting the approach of “obtaining individuals’ consent + HR management”. 

In addition, cross-border transmission of personal information should also meet one of the conditions set forth in Article 38 of the PIPL (i.e. passing the security assessment organized by the national cyberspace administration authority, obtaining certification of personal information protection by a professional organization, or entering into a standard contract with the overseas recipient). With respect to the operation of the certification of personal information protection and execution of the standard contract, the relevant implementing rules have not yet been officially issued by the relevant authorities. As for the security assessment, the relevant requirements have been set out in the Measures for the Security Assessment of Outbound Data (Draft). With the final draft expected to be issued in the near future, companies that need to transmit personal information overseas can stay tuned for any further updates.

Providing information to domestic judicial or law enforcement authorities

If domestic judicial or law enforcement authorities require companies to provide information about their employees’ illegal behavior, companies are usually obligated to cooperate with the authorities and disclose information in accordance with the law. Under some circumstances, companies may also voluntarily report their employees’ illegal behavior to the government authorities to seek remedies. In this case, companies may still need to screen the relevant information, and the information to be submitted should usually be necessary and relevant to the reported matter. 

Providing information to overseas judicial or law enforcement authorities 

Where employees are found to have committed serious violations of laws and regulations in a compliance investigation, overseas judicial or law enforcement authorities may require companies to disclose the relevant information. In some cases, multinationals may choose to proactively disclose information to overseas judicial or law enforcement authorities in order to mitigate the possible penalties. In accordance with the relevant provisions of the PIPL, companies should not provide overseas judicial or law enforcement authorities with personal information stored in China without the prior approval of the competent authorities of China under such circumstances, and companies should pay more attention to this issue. 

Publication within a company

If an employee’s illegal behavior has been confirmed after investigation, some companies may announce the investigation results internally as a warning to others. When announcing employees’ violations internally, companies should also abide by the principles of necessity, legitimacy and minimum scope as required in the PIPL. Companies should not only prudently determine the scope of information to be disclosed to avoid disclosure of personal information irrelevant to employees’ violations or for warning purposes (especially sensitive information), but should also mind the manners and scope of the information disclosure. In general, it is safer to limit the audience to only employees. 

In a compliance investigation, if companies violate laws or regulations in processing personal information, the consequences may be administrative liabilities as stated in the PIPL or even criminal liabilities. Companies may also be held liable for tort if the processing causes a loss to employees. In the meantime, if companies fail to meet the relevant requirements of the PIPL in the investigation and organization of evidence, the legitimacy of such evidence is likely to be questioned in arbitration or court procedures, and cannot thus be used as a valid ground for punishment of employees. 

With the implementation of the PIPL and the improvement of various information protection legislations and supporting measures, it has become the general trend for companies to attach importance to and raise compliance standards of information protection in the course of business operations. In compliance investigations, it is necessary for companies to pay close attention to the relevant requirements of PIPL, follow up on legislative developments, and take corresponding measures according to the actual situations in order to protect the legitimate rights and interests of employees while achieving the investigation objectives. 

Copyright and Disclaimer

This article is for reference only and should not be considered legal advice. This article should not be used for any other purposes without the written consent of Shihui Partners. If you need to forward, please indicate the source. If you have any questions about the content of this article, you can contact the authors  or other Shihui Partners's lawyers.

Chang Liu | Partner

liuch@shihuilaw.com

Hongyuan Zhang | Partner

zhanghy@shihuilaw.com

Mr Hongyuan Zhang’s main areas of practice are employment law, employment-related dispute resolution, laws relating to social security, etc. 

Mr Zhang is able to advise clients in both non-contentious and contentious matters. He regularly advises clients on employment relationship, management of foreign employees, protection of trade secrets, non-compete, union issues, collective agreements, remuneration, social insurance, benefits and leave for employees, occupational health and production safety, protection of employees’ personal information, etc. Mr Zhang also regularly assists clients with due diligence investigations and compliance matters related to employment, the transfer and termination of employment often seen in important M&A, reorganization and relocation projects, as well as clients’ economic layoff requirements.

Mr Zhang is also deeply experienced in representing clients in contentious matters. He regularly represents clients in employment-related negotiation and mediation, as well as employment arbitration and litigation. 

Mr Zhang has advised on employment matters for numerous large state-owned enterprises, institutions, multinationals and large domestic private enterprises, and his clients are major players in sectors such as banking and finance, logistics, food and beverage, consultancy, insurance, healthcare, aviation, automobiles, software technology, etc.

• Shihui Articles | What does the PIPL mean for an HR manager?
• Impact of the Draft Measures on Outbound Data Assessment
• PIPL Compliance of Coded Clinical Trial Data
• 世辉观点 | 《个保法》即将生效，HR应如何应对？
• 辉说诉讼 | 《个保法》下侵权诉讼：权利人和个人信息处理者应如何应对？
• 世辉观点 | HCP的个人信息保护
• 世辉观点 | 脱敏临床试验数据的《个人信息保护法》合规
• 世辉资讯 | 世辉参与编写的《关于推进个人信息保护合规审计的若干建议》正式发布
• 世辉资讯 | 世辉为《个人信息保护法》落地工作提供支撑