On 19 December 2016, a draft of the PRC General Principles of the Civil Law was submitted to the NPC standing committee for a third reading. The draft prohibits anyone from collecting, using, processing, transferring, publicizing or selling personal information in violation of the law.
Previously, on 7 November 2016, the NPC also passed the Cybersecurity Law, effective from 1 June 2017. This law defines “personal information” as all information that can identify a particular person, e.g., name, birth date, ID card number, address and telephone numbers, regardless of whether in electronic or another form.
The Cybersecurity Law contains a number of provisions devoted to personal data protection. For instance, the Cybersecurity Law requires network operators to: (1) establish a comprehensive personal information protection system; (2) inform each data subject of the purposes, methods and scope of data collection, and obtain the data subject’s consent to the data collection; (3) not leak, alter or damage a data subject’s personal information; and (4) not provide a data subject’s personal information to others without the data subject’s consent.
It is not clear whether these “network operator” obligations extend to an employer when it collects personal information from employees through a telecoms network. “Network operator” is broadly defined as an owner or administrator of a computer information network, or as a network service provider, so the definition could potentially cover all entities using or administrating a telecoms network for the promotion and provision of products or services. Regardless, current guidelines already push employers to obtain an employee’s consent prior to collection, use or publication of the employee’s personal information.
Finally, the Cybersecurity Law provides that a “critical information infrastructure operator” – which is also broadly defined to include any operator in a key sector, such as public communications and information services – should store within the territory of China any personal information collected and generated from China during its operations. If the information needs to be transferred to an overseas party, the government must conduct a security assessment and approval before the transfer.
For employers, the Cybersecurity Law is not clear on whether the data residency requirement and the data export assessment/approval requirement could be interpreted to prevent or restrict the cross-border transfer of employee information. In practice, this interpretation would probably be impossible to implement because it would prevent multinational companies with global human resources systems from accessing employee data in China.