Foreign companies doing business in China should consider adopting safeguards to protect employee personal data to reduce the risk of unauthorized disclosure or claims of infringement of privacy.
This advisory is one of a series prepared by Pillsbury's China Practice on questions frequently asked by our clients doing business in China. Here, we summarize current PRC law relating to personal data protection and also suggest some best practices.
Personal data protection legislation has been a widely discussed topic in recent years in China, mainly because employees of institutions that amass personal data of users and clients in the course of their business (such as internet companies, hospitals, phone companies, banks and insurance companies) are selling the personal/client data for profit or disclose the data to third parties inappropriately. In extreme cases, databases of personal information can even be downloaded online freely. Many have called for a comprehensive national personal data protection law but no such law has been put into place. The Several Provisions on Regulating Market Orders of Internet Information Services recently issued by the Ministry of Industry and Information Technology of the PRC (MIIT Provisions) may be a first step in a positive direction.
Before the MIIT Provisions, the laws at the national level that provide personal data protection were the PRC Criminal Law and the PRC Tort Liability Law. The PRC Criminal Law prohibits employees of government agencies or institutions in the financial, telecommunication, transportation, education or medical sectors from selling or otherwise unlawfully providing to third parties personal data of any Chinese citizen to which these employees have access in the course of performing duties or services at any such agency or institution. The PRC Criminal Law also prohibits any person from obtaining personal information of any person by means of theft or other unlawful means. A person whose personal data has been unlawfully used or disclosed may also file a civil claim under the PRC Tort Liability Law for infringement of privacy.
Due to the lack of detailed interpretations or implementing regulations on the application of the relevant provisions in the PRC Criminal Law or the PRC Tort Liability Law, the impact of these laws on prevention of misuse of personal information has been relatively insignificant.
The MIIT Provisions took effect on March 15, 2012. The Provisions apply to internet service providers (ISPs) which normally collect large amounts of personal information, such as email service providers, and web and blog operators or hosting service providers. The Provisions do not focus on data protection, but include two articles that regulate how these ISPs may collect and use personal data of their users. Among other things, the articles impose the following requirements on the collection of user personal information that, in itself or together with other information, is sufficient to identify the user:
The ISPs must inform users of their services of the method and content of and the purpose for collecting and processing the personal information and may not provide personal information to a third party without the user's prior consent.
The ISPs may collect such personal information as is necessary for provision of their services.
The ISPs must securely maintain personal information and must take measures promptly to mitigate possible harm resulting from any actual or suspected leak of personal information. If a leak of personal information results in actual or potential material adverse consequences, the ISP must inform the authorities and be cooperative during an investigation by the authorities.
An ISP who violates any of the above provisions will be subject to a fine between RMB 10,000 to RMB 30,000, together with a public warning.
In response to the increasing occurrences of inappropriate collection and use of personal data on a massive scale, and in view of the lack of comprehensive personal data protection legislation at the national level, many provinces in China have adopted or are considering adopting personal data protection regulations. For example, Jiangsu province enacted data protection regulations last year that prohibit the sale, illegal use or disclosure of personal data; the Jiangsu regulations also prohibit theft or purchase of personal data.
Foreign companies doing business in China often ask what the requirements are on how to collect, process and use personal information of their employees in China for administrative and business purposes. Chinese law is silent in this regard. In the absence of clear legal guidance, companies doing business in China may consider the following practices to reduce possible misuse of personal data and claims of infringement of privacy rights:
Informing each employee what personal data the company will be collecting and the purpose for collecting such data.
Requesting the employee to sign an acknowledgement and consent to the company's collection, processing, and use of personal data.
Implementing measures to maintain the confidentiality of personal data by, for example, limiting access to personal data to specified employees on a need to know basis.
Limiting personal data collected to the information necessary for the relevant administrative or business purposes.
Providing the employee with the option of not disclosing certain sensitive personal information (such as medical history).
In general, the Chinese subsidiary should adopt the same procedures as those used by the parent company to protect employee personal data, especially if the procedures have been designed to comply with more developed data protection laws in other jurisdictions.