Considerations for Overseas Employers under China’s Personal Information Protection Law

The Personal Information Protection Law (“PIPL” or the “Law”) was passed by the People’s Republic of China’s national legislature on August 20, 2021, and will become effective on November 1, 2021. PIPL, as China’s first comprehensive privacy framework, greatly expands the protections and rights for individuals as well as the rules and obligations for processing personal information, similar to that of the California Consumer Protection Act (“CCPA”) and the General Data Protection Regulation (“GDPR”). PIPL also imposes hefty fines and penalties for non-compliance,¹ and has broad application for businesses, both in and outside mainland China,² so any business with operations in China should strive to quickly understand PIPL’s application and any requirements imposed on them by the Law, even if the business has no actual establishments in China.

PIPL does not only apply to businesses that process personal information of Chinese citizens within the territory of China, but also does when an overseas business processes personal information of Chinese citizens in China and where the purpose of the processing is to either provide products or services to Chinese citizens in China or analyze or assess the activities of those individuals in China.³

Overseas employers with operations in China or with Chinese employees may fall within the purview of PIPL as Personal Information Processors (“PIPs”).⁴ By nature of being an employer, personal information/sensitive personal information⁵ of employees, including such data points as name, gender, ethnicity, date and place of birth, ID No., address, email account, phone No., general health conditions, educational background, work experience, and emergency contacts, is collected and processed independently for human resources (“HR”) and employment-related purposes.

Amongst other things, PIPL requires an overseas employer subject to the Law to have a legal basis for processing such information, such as having consent from the employee to process information or relying on one of the other enumerated bases under PIPL–for example, processing when necessary for the execution or performance of a labor contract, or for HR management.⁶ Various other provisions⁷ of PIPL will affect overseas employers and have a significant impact on multinational corporations’ HR operations, including the provisions requiring businesses to designate a representative or agency in China to handle personal information protection matters,⁸ and to obtain separate consent if employee sensitive personal information is being processed.⁹PIPL will also require employers to conduct risk assessments when certain high risk processing scenarios occur¹⁰ and undergo security assessments by the Cyberspace Administration of China (“CAC”), or meet one of the other enumerated measures listed in PIPL,¹¹ when personal information/sensitive personal information is transferred offshores (e.g., where employee information is collected in China but sent to an offshore data center).

Overseas employers will want to act swiftly to understand their employment practices and operations in China and put into place the adequate processes and procedures to comply with PIPL before it becomes effective. In addition, overseas employers should understand what relationships they may have with contractors in mainland China and what those contractors have done or will do to comply with the Law.¹²

For more information and how Bryan Cave Leighton Paisner LLP can help assist you with PIPL compliance, please contact Amy de La Lama, Christian Auty, or Logan Parker.

1. The PIPL, Art. 66-70.

2. The PIPL, Art. 3.

3. Id.

4. "Personal Information Processor" refers to organizations and individuals who independently decide the purpose and method of processing personal information. The PIPL, Art. 42.

5. The PIPL, Art. 4 and 28.

6. The PIPL, Art. 13.

7. See generally, the PIPL, Art. 51-58.

8. The PIPL, Art. 53.

9. The PIPL, Art. 23, 25, 29, 39.

10. The PIPL, Art. 56.

11. The PIPL, Art. 38, 40.

12. PIPL does not directly apply to Hong Kong residents or entities in Hong Kong, unless they are processing personal information of individuals residing in mainland China.