A MoFo Privacy Minute Q&A: China PIPL Edition (Issue 7)

This is issue #7 of A MoFo Privacy Minute Q&A: China PIPL Edition, where we answer questions about China’s Personal Information Protection Law (PIPL) in sixty seconds or less.

Question: Am I right to understand that there is no need to obtain consent from employees in China to transfer employee personal information (PI) outside of China (e.g., when HR systems are in the U.S.)? Does a company need to utilize one of the data export mechanisms for such transfer?

Answer: Consent is the legal basis for handling PI most commonly relied on by PI handlers but it is not the only legal basis. An employer in China might potentially rely on other legal bases provided for under PIPL (such as contract performance, HR management, and fulfillment of legal obligations) to handle employee PI. (Transferring PI outside of China is a form of handling PI.) However, the precise scope of each of these other legal bases remains uncertain and PIPL does not recognize any legal basis as broad as “legitimate interest” under GDPR. Therefore, many employers in China still default to obtaining employee consent. And for those who do, separate consent is required for PI exports.

All exports of employee PI, regardless of the legal basis for handling that is relied upon, may be undertaken only in compliance with an applicable data export mechanism (i.e., (i) conducting a government-led security assessment, (ii) signing a standard contract with the overseas recipient, or (iii) securing a PI protection certification from an authorized agency).

Visit our newly launched China Privacy and Data Security Resource Center to stay up to date on legal and business analysis related to the latest China privacy and data topics. Explore our Privacy + Data Security page for additional information from our Privacy Library and Resource Centers for Cybersecurity, U.S. State Privacy Laws, and the GDPR + European Privacy.