On October 21, 2020, China’s National People’s Congress published the draft Personal Data Protection Law for public consultation, which will be held till November 19, 2020.
Generally, once a draft law is opened for review, it is only a matter of time before it is passed into a law. And when passed into a law, it would be the first-ever designated data protection law of China.
From the background screening industry perspective, it is very important to understand the key data protection principles and relate them to processes that are typically followed while conducting background screening on data subjects in China.
The draft PDPL which contains 70 articles and huge fines, bears a close resemblance to the General Data Protection Regulation (GDPR) in several aspects. Let’s take a look at a few key points that the background screening industry needs to closely look at and prepare, in order to implement changes once it is passed into a law.
1. Extra-Territorial application of law
The draft PDPL has very clear and specific extraterritorial application to overseas organizations and individuals that process personal data of data subjects in China.
– For analyzing or assessing behavior of data subjects in China
– For selling products/services to data subjects in China
– In other circumstances as defined by Chinese regulators
If you are conducting background screening for data subjects in China, you will be required to take adequate steps to comply with the principles defined in the draft PDPL when it is passed into a law.
2. Data localization and Cross-border transfer
Data localization requirements are applicable to CIIO (Critical Information Infrastructure Operators) and personal data processors that process personal information above a specific threshold. This threshold will be defined after the draft is passed into the law.
General data processors will have to make a note of the following mechanisms which they can follow for cross-border transfer,
– Signing cross-border data transfer agreement with the overseas recipient of the data
– Separate consent of data subject
– Certification issued by the entities authorized by Cyberspace administration
– Any other as defined by other laws and regulations (E.g. Cybersecurity law which came into effect in 2017.)
A third party processing personal data on behalf of the data processor cannot further outsource it without the data processor’s consent.
Employers and background screening companies will have to appoint representatives in China and also furnish details of personal data along with the purpose for its collection to Chinese regulators. Furthermore, as per the draft, organizations must execute an agreement for cross-border data transfer between the respective parties.
Earlier, there was a clear lack of clarity of the requirements for gaining consent to initiate a background check, however, the draft PDPL has addressed this need. Consent must be freely given, informed, and wilful from the data subject’s side.
In the case of sensitive personal information, a separate opt-in consent would be required. The specifications around a ‘separate consent’ are not yet clear. Sensitive data includes but is not limited to race, ethnic group, religious beliefs, personal biometric data, health data, financial account data, and location data.
There are further stringent requirements for gaining consent for the transfer or sharing of personal data, automatic decision-making, etc.
With these requirements in place, employers or background screening providers need to revalidate the language/clauses used in their screening consent forms, in order to ensure they remain compliant with the draft legislation. It is also important to note that, information being collected from the data subject is absolutely necessary for processing and the purpose of collection should be in accordance with the local law.
Penalties for serious violations as per the draft are relatively hefty, so it is paramount to understand the regulations stated in the draft PDPL. Once it is passed as a law, employers and background screening companies conducting background screening for data subjects in China will have to change their procedures and ensure they remain compliant with the new set of regulations.
If an individual or entity violates the draft PDPL, they will be fined up to ¥50 million or up to 5% of the preceding year’s revenue. Of course, the respective parties will be fined if they fail to adopt necessary changes even after receiving the notice from CAC.
There are other requirements as per the draft PDPL, however, the above mentioned are the key points from the point of view of background screening organizations and employers who are conducting background screening on the data subject from China. Once this is passed as a law, background screening providers will have to do few changes as mentioned below,
– Appoint your representatives in China or have a cross-border transfer agreement in place with your partner in China.
– Review the language used in your consent forms and ensure they comply with cross-border transfer rules.
– Get your China entity certified by the authorized entities of CAC or make sure your partner in China with whom you have a cross-border transfer agreement is certified.
If you are collecting sensitive data such as health information when you are required to conduct the following checks, namely,
– Drug tests
– Medical check
– Credit check which may entail data subject’s financial account data
– Biometric checks
Take steps to ensure you collect separate consent from the data subject. If the data subject denies providing the consent, one cannot force them to consent.
In 2016, the General data protection regulations brought in several stringent guidelines for handling of personal data for those in the European Union. Quite recently, Brazil has enforced stringent data privacy regulations to safeguard the data of those residing in its country; India is also looking to pass a similar bill on personal data protection.
A Gartner report says that: “By 2022, half of our planet’s population will have its personal information covered under local privacy regulations in line with the GDPR.”
Considering this, it is high time for background screening providers to critically review their processes and make sure it meets local and global compliance regulations.
To learn more about China’s data privacy regulation and how your organization should comply with it, drop a line via email@example.com. Our subject matter experts will be happy to assist you.