China has strengthened its commitment to protect personal information by adopting the new Personal Information Protection Law (PIPL 《中华人民共和国个人信息保护法》) which gives data subjects the power to control and determine how, with whom and for what purposes their personal information can be shared, analyzed or handled. Our Firm has previously released a more detailed discussion on the PIPL, which took effect on 1 November 2021.
In the context of compliance investigations, typical activities can include accessing and analyzing employees’ personal information. The investigation team may also want to engage external professional assistance or share such information with head offices located outside China. Under the PIPL, these activities require general or specific consent from the data subject, which may not be feasible in light of the sensitive and confidential nature of an investigation.
In our client alert, we discuss how the new PIPL obligations, such as express consent, have created practical challenges for businesses seeking to conduct an internal investigation as part of their corporate compliance or internal controls program.
- Companies seeking to conduct an internal investigation are obliged to comply with the PIPL, which among other things, requires the express consent of a data subject where the processing of sensitive personal information or cross-border provision of personal information is involved.
- Although the PIPL includes grounds which exempt an individual’s express consent and excludes anonymized information from the definition of “personal information”, these contain certain limitations and uncertainties.
- When conducting an internal investigation, businesses should not solely rely on the statutory grounds of exemptions to overcome the requirements under the PIPL and should seek legal assistance to understand the relevant risks and limitations.
- Businesses should proactively review and update their corporate compliance policies (e.g., whistleblower policy, investigation protocols and other internal control procedures) to ensure compliance with the new rules under the PIPL.
- Companies should train employees and staff on the requirements under the PIPL and other data security law to ensure that they comply with the new laws in the execution of their duties.
In more detail
Scenarios where personal information may be accessed in investigations
In the context of a compliance investigation, it is inevitable for an investigation team to touch upon and review specific personal information, or even sensitive personal information1. Examples of activities involving personal information include:
- Collecting employees’ personal information (e.g., education and work history), reviewing records of work emails related to potential non-compliant matters or incidents, and using information provided by whistleblowers.
- Obtaining sensitive information of employees, such as bank accounts, expense and reimbursement records and their location during relevant periods.
- Accessing and processing personal information of third parties, such as business partners and customers.
It is worth noting that the PIPL imposes information protection duties, some of which are similar to the EU’s General Data Protection Regulation (GDPR), whilst the others are stricter than the GDPR, especially in the scenarios of third-party data access and cross-border transfer. Unlike the GDPR, the PIPL takes national security and public interest into consideration when regulating personal data protection, and grants certain powers to Chinese enforcement authorities (for more details please refer to our client alert here).
Statutory consent exemption
In practice, once an investigation has commenced, obtaining express consent from an individual who is under investigation to provide personal information becomes challenging and difficult. In addition to the express consent mentioned, Article 13 of the PIPL also establishes six grounds which exempt the requirement for express consent for processing personal information. We have extracted three exemptions which are relevant to compliance investigations – 1) implementation of human resources management, 2) performance of statutory duties, and 3) processing data that has been lawfully disclosed in a reasonable scope. However, we consider that these exemptions contain certain limitations and discuss these in more detail below.
- Implementation of human resources management — it is not clear that corporate compliance investigations can be recognized as a part of human resources management from a legislative or judicial standpoint. Furthermore, if an investigation requires the participation of external counsel and/or other service vendors, separate consent for transferring personal information to a third party is still mandatory under the PIPL. The same challenge will be encountered in relation to the transfer of personal information abroad (such as transferring personal data to a company’s offshore headquarters for further review and/or decision-making).
- Performance of statutory duties — Government enforcement authorities can process personal information without prior consent by invoking this exemption, but whether this ground can be extended to an internal investigation or audit remains unclear.
- Processing data that has been lawfully disclosed in a reasonable scope — the scope of “disclosed information” is relatively limited2 – information that is only shared or circulated within the company may not qualify for such an exemption.
Based on the current rules, it may be difficult in practical terms to delineate the boundary between when express consent from the data subject may be required in an internal investigation, and when the above exemptions can be invoked. A company conducting an investigation will need to be aware of the limitations under the above exemptions and should not fully rely on these grounds to overcome the restrictions imposed by the PIPL. Failing to address these issues in advance may impact the credibility of an investigation or in a worst case scenario, may lead to the inability to continue the investigation.
The PIPL excludes anonymized information from the definition of “personal information.” Hence, anonymizing can provide an alternative approach when no general consent or separate consent can be obtained from the relevant data subjects. Nevertheless, such an alternative approach has its own limitations in light of the definition of “personal information” under the PIPL – any information that enables the identification of an individual may constitute personal information. For example, an employee may send out an email with his or her approval to a certain matter for which he or she is the only reviewer. Even if all information that can identify an individual, such as name and title, is redacted from the email, the email as a whole may still constitute personal information that can identify the employee.
More importantly, excessive anonymising may not help investigations. The first step of a compliance investigation aims at discovering non-compliant activities and the individuals involved. The outcomes rely on concrete evidence, which may contain personal information, and is thus against the nature of anonymization.
At the time of writing, the PIPL has not provided guidance for the handling of personal information in compliance investigations. We will provide a further update upon the release of any implementation rules and guiding interpretations. In the meantime, as mentioned in the key takeaways section above, businesses may wish to proactively take steps to ensure that the compliance programs of their Chinese operations are in compliance with the requirements under the PIPL.
1 According to Article 28 of the PIPL, sensitive personal data shall refer to personal data that, once leaked or used illegally, may easily infringe on the personal dignity of natural persons or endanger personal or property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts tracking and other data, as well as the personal data of minors under the age of 14.
2 According to the national standard “Information Security Technology – Personal Information Security Specification” (《信息安全技术 个人信息安全规范》, GB/T 35273-2020), disclosed information shall be the one that is shared and disclosed to the public by the subject voluntarily.