The PRC government promulgated its Cybersecurity Law on November 7, 2016, with an effective date of June 1, 2017. To say that foreign tech firms are concerned about the impact of this new law on their business in China would be an understatement. In addition to tech firms, our China lawyers have received a steady stream of questions from clients with China WFOEs who are concerned about an entirely different set of issues. Article 35 of the law states that “personal information and other important data gathered or produced by critical information infrastructure network operators during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.” Our clients keep asking what this will mean for them.
The surprising answer is not much.
Any company that operates a WFOE in China collects personal information about its employees. China’s new cybersecurity law defines personal information as “all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth.” Certainly, the standard information any company maintains on its employees will qualify as personal information under China’s new cybersecurity law.
In the EU and various other jurisdictions, such personal information must be maintained within the jurisdiction and there should be no transfer of such information across borders. This causes many problems for companies that seek to manage an international workforce through a central location.
So what clients keep asking our China attorneys is whether China’s new cybersecurity laws will establish the same sort of protective system within China? The simple answer is that it will not. China does not have a comprehensive law or regulations relating to the collection, processing or transfer of employee data gathered by a WFOE or other business entity in the normal course of its China business operations and China’s new cybersecurity law does not change that situation.
The cybersecurity law specifically provides that its personal data maintenance and collection rules apply only to critical infrastructure network operators. Network operator is defined as “network owners, managers and network service providers.” In more general terms, this means telecom operators and Internet ISPs. The requirements do not apply to the China business operations of normal private businesses with respect to their normal record keeping requirements for their employees.
Even though nothing has legally changed in China, it is still best practice for foreign companies employers in China to follow the basic rules the PRC government imposes more generally in the consumer context on the collection and maintenance of personal information, including the following:
1. Be sure the disclosing party (your employee) is aware that the company maintains personal information. The company should have a written policy (in Chinese and in English) on how long that information is maintained and that policy should be revealed to the employee.
2. You should not collect more personal information than necessary.
3. You should maintain the confidentiality of the personal information you collect and maintain. That means you should limit internal access to that information and you should take proper security measures to prevent a data breach of the company’s online systems.
4. You should not sell or otherwise transfer the personal information to any third party. Stated more bluntly, do not sell employee personal information to marketers or spammers.