The Cybersecurity Law and protecting employee privacy

By Patrick Gu, DaHui Lawyers
Copy link

Amilestone in network information security and personal privacy protection, the Cybersecurity Law will officially be implemented from 1 June 2017. On 11 April, the State Internet Information Office issued the Measures for Security Assessments of Personal Information and Important Data Sent Abroad (Draft for Comment), launching a one-month process of seeking comment from the public. The draft provides finely detailed requirements in respect of, and guidelines on, the storage, cross-border transmission, security assessment and acceptance of personal information.

Patrick Gu Partner DaHui Lawyers
Patrick Gu
DaHui Lawyers

The previously published General Provisions of the Civil Code, to be implemented from 1 October 2017, further specify and clearly define that, “the personal information of natural persons is protected by law. Any organization or individual that wishes to obtain the personal information of other persons shall do so in accordance with the law, ensure the security thereof, may not unlawfully collect, use, process or transmit the same, and may not unlawfully buy or sell, provide or disclose the same.”

In such a stringent legislative environment, an employer must attach great importance to the issue of the collection, use and transmission of the personal information of its employees, and establish a compliance mechanism and precautionary measures to increase the protection of the privacy of its employees to avoid potential legal risks.

The author makes the following recommendations in light of the requirements of current laws and regulations:

Securing individuals’ consent before obtaining personal information

Pursuant to the Cybersecurity Law, personal information is defined as, “various types of information recorded electronically or otherwise that singly or in combination with other information can identify a natural person, and includes but is not limited to a natural person’s name, date of birth, ID document number, personal biometric information, address, telephone number, etc.”

With respect to relevant personal information provided by an individual job applicant during an employee search process, and personal information provided by an employee during the employment process, it is recommended that the employer secure the individual’s consent before obtaining the relevant information and expressly inform him or her that it collects and obtains relevant information for employment purposes.

Scope of personal information obtained to be reasonable

One of the key principles of the Cybersecurity Law is that the collection and use of “personal information shall comply with the principles of lawfulness, legitimacy and necessity”. Accordingly, when an employer obtains personal information, it should strictly define the scope of the personal information it collects, and not collect personal information unrelated to the employee’s industry or job, except where necessary for employment or a special job.

Secure storage of personal information to prevent the leakage, theft, alteration and misuse of data

An employer needs to formulate internal data security management systems and operating rules, designate someone in charge of information security, improve its internal mechanisms for the protection of personal information, prevent the leaking of personal information and prevent its personal information management personnel from abusing their position to steal and unlawfully use personal information.

Securing the consent of the individual before cross-border storage or transmission of data

The draft expressly provides that personal information and important data collected and generated in the course of operations in China are to be stored in China. Before data is sent abroad, the necessity of doing so must be assessed, the focus thereof to be an assessment of the quantity, scope, type and sensitivity of the personal information, and whether the subjects of the personal information consent to their personal information being sent abroad.

In any of the following circumstances, the competent industry authority or regulator must be asked to arrange for a security assessment: (1) the data contain or cumulatively contain the personal information of at least 500,000 persons; (2) the quantity of data exceeds 1,000GB; (3) the data contain information on such sectors as nuclear facilities, chemical biology, the national defence industry, population, health, etc., or on large project activities, the marine environment or sensitive geological information; (4) the data contain network security information, such as system vulnerabilities in, or security prevention of, key information infrastructure; (5) an operator of key information infrastructure is to provide personal information and important data to foreign parties; or (6) other data that could affect national security, or the public interest is involved and the competent industry authority or regulator deems the conduct of an assessment necessary.

The draft specifies for the first time that data cannot be sent abroad if the consent of the subject of the personal information has not been secured or the interests of the individual could be infringed. Accordingly, if an employer needs to store or transmit personal information of its employees abroad, it must secure the individuals’ consent.

Third-party compliance system

If data are to be shared or if their storage is to be entrusted to a third party, the establishment of a compliance system by the third party must be procured. At present, a significant number of enterprises use, in their operations, third-party professional human resource management software, or engage a third party to remotely store personal information of their employees in the cloud. Notwithstanding that neither the Cybersecurity Law nor the draft provide further definition in respect of such circumstances, as a “network operator” in the broad sense, such a third-party company is likewise bound by relevant laws. When using the professional services of such a third-party company, an employer is required to strictly procure its compliance with regulations on the protection of personal information and the security of the privacy of employees, and clarify responsibilities and the bearing of obligations.

The successive issuance of relevant laws, regulations and implementing measures imposes more stringent requirements on employers in respect of the protection of the personal information and privacy of their employees. In the course of collecting, storing, using and transmitting this personal information, employers must pay close attention to avoiding the legal risks that could arise from the leaking or misuse of personal information, and even compliance risks relating to national security.

Patrick Gu is a partner at DaHui Lawyers

DaHui Lawyers

办公楼一座1306室 邮编200040

Suite 1306, Jing An Kerry Centre Tower 1
1515 Nanjing West Road
Shanghai 200040, China

电话 Tel: +86 21 5203 0688

传真 Fax: +86 21 5203 0699

电子信箱 E-mail:

Copy link