Asia-Pacific employment law bulletin 2022
Developments in the light of COVID-19
After early and strict lockdowns and border controls in 2020, the number of COVID-19 cases remained low in China over 2021. Since March 2021, the international travel ban has been lifted for limited categories of travellers including those travelling to China for work. Although individuals are still required to wear masks, have their temperatures checked and to use a tracking software when they enter public places, most workplaces have been fully opened up to workers (regardless of vaccination status) without gathering or capacity restrictions.
Employee data processing
Meanwhile, a new data privacy legislation brings challenges to employers when they collect travel history, vaccination or other relevant information from employees. The Personal Information Protection Law of the People’s Republic of China (the “PIPL”) came into effect on 1 November 2021. Employers are generally required to obtain an employee’s consent for the collection and processing of the aforementioned personal information (and, for sensitive personal information such as health and medical data, separate consent is required), unless one of few limited exemptions apply, e.g., when it is necessary for the employer to perform legal obligations or to respond to emergencies. Consent has been the default data processing requirement in China before the PIPL, but now individuals have enforceable rights under the PIPL against any organisation that collects and processes their data. The PIPL also imposes severe penalties of up to RMB50 million (c. USD 789,000) or 5% of an organisation’s annual revenue for any breach.
Extended leave for childcare announced in various provinces and cities
Amendments to the Population and Family Planning Law of the People's Republic of China came into effect in August 2021. In an effort to boost birth rates and to battle the aging population, families can now lawfully have up to three children. The amendments also encourage the provision of childcare leave for parents and other necessary support to boost the birth rate. Local governments have taken note of the directional change and have sprung into action. Nearly twenty provinces and cities amended local regulations to extend maternity leave and/or to provide additional leave for childcare purposes. For example, Shanghai released its amended population and family planning regulations in November 2021, giving an extra thirty days on top of the current maternity leave, and five working days of childcare leave each year to the parents of a child under three years old. Beijing has matched Shanghai in terms of the new leave and is further allowing female employees to extend maternity leave for another one to three months (if approved by her employer). Moreover, in Beijing, parents can reallocate their childcare leave (i.e. five working days for each parent) between themselves, as long as the total number of days does not exceed ten working days.
In light of these changes, employers need to take immediate measures, including updating their leave policies to ensure compliance. Although these changes are welcomed by employees, there are some concerns that the increased employment costs may lead to general unwillingness or reluctance for employers to employ women in the workplace.
New challenges for protecting employee data
Since the PIPL came into force, employers are facing more challenges when they collect and process employees’ personal data. The PIPL is known as China’s equivalence of the General Data Protection Regulation in European Union, with remarkable extra-territorial effect which may catch foreign companies’ data processing activities conducted overseas as well.
Several key requirements are worth noting before an employer considers collecting and processing data from the employees:
- Employees need to be presented with conspicuous, easy to read and comprehensive privacy notices that set out, among other things, the purpose and the means of processing of personal data, the type of personal data that will be processed, and the retention period. It is also recommended to socialise the privacy notice through regular training or other means and obtain employees’ written acknowledgement for record.
- Consent from the employee is required for data processing unless an exemption under the PIPL applies. The exemptions that could potentially be relevant at a workplace are when the data processing is necessary:
- for human resources management in accordance with internal policies or collective bargaining agreements; and
- for performing statutory responsibilities or obligations.
- Separate consent is required to process sensitive personal data, including but not limited to health and medical data and financial data.
- For multinational companies, transferring employee data outside China or giving the data access to overseas affiliate/personnel is subject to the restrictions under the PIPL. In general, the export of personal data is not permitted unless under one of the specified grounds, one of which is to put in place a data transfer agreement between the China affiliate and the foreign entity which will have access to, receive and further process the Chinese employees’ personal data.
In short, employers will need to update their internal procedures, policies and practices to enhance protection of employee data in order to comply with the PIPL. There are certain provisions in the PIPL that will benefit from further clarification through the development of supplemental rules, interpretations and enforcement practices. Shortly before and after the PIPL came into effect, legislators and regulators are intensifying their efforts in refining the requirements under the PIPL, including the release of two draft regulations for public comment, the first being the Data Export Security Assessment Measures, which covers the assessment procedures for personal data to be transferred overseas and the second being the Network Data Security Management Regulations, which provides more detailed rules for personal data processing, data breach notification, etc. These regulations and other guidance and interpretation, which are in the pipeline, will no doubt help employers better understand how to comply with the PIPL in practice but they may also add further “to-dos” to employers’ compliance agendas.