Getting right personal information protection and maternity leave

Currently, companies worldwide are called by both domestic and international regulations to become corporate citizens rather than merely profitable entities. In China, 2021, domestic legislation focused on data and cyber protection and introduced measures to support the third-child policy. Namely, Personal Information Protection Law (“PIPL”), effective from November 1 2022, obligates companies to strengthen personal data handling, process, and storage, and from late November, provinces and municipalities across China extended maternity leave to support the 3-child policy (announced on May 31, 2021, following the Chinese Communist Party Politburo meeting chaired by President Xi Jinping). As a result, in 2022, human resources (“HR”) across China should diligently implement plans to comply with such changes and obligations.

At Horizons, we have been working with clients to adjust employee policies and summarise the main aspects for human resources to practically implement changes.

Personal Information Protection Law

PIPL is the first legislation to address misuse of personal data and sets forth mandatory requirements for companies processing such data. Though data handling related to human resources do not require the employee’s consent, PIPL does introduce stricter obligations for those handling sensitive personal information, such as biometrics, religious beliefs, medical and health and so forth. Namely, companies shall obtain specific consent and inform such individuals of the necessity and impact on their rights and interests. Therefore, companies should audit the existing personal information processing systems to gain a comprehensive employee data overview and, if necessary, draft specific consent forms aligned with PIPL.

Equally, companies may only transfer personal information outside mainland China by fulfilling provisioned conditions. Under PIPL, such conditions are generally outlined and require further guidelines for companies to proceed ahead. We suggest HR keep abreast of forthcoming related guidelines, especially those handling large volumes of personal information that meet a threshold set by the National Cyberspace Authority.

Maternity Leave

In late November 2021, parental leave extensions were adopted in Chinese cities and provinces to stimulate the 3-child policy. Extended leave policies aim to reduce the burden of childbirth and childcare. The extended number of days varies from province to province or city to city, for example in Shanghai, maternity leave is extended to 158 days. For companies, the amended policies shall directly impact employee leave policies and workforce planning and costs to cover extended leave.

We suggest that companies should conduct an employee consultation process before any amendments are made to employee leave policies and ensure employees are entitled to the legally allocated number of leave days. Namely, clear specification of the type of leave and number of days such as maternity leave, paternal leave for working parents and carer’s leave. In this manner, companies can reduce the risk of labour disputes since the amendments are consented by employees and legal blinding.

Both PIPL and extended maternity leave reflect Environment Social and Governance (“ESG”) principles emerging in China. As an important international topic, we anticipate ESG to be present in forthcoming legislation in China, however, governed by President Xi Jinping Thought on Socialism with Chinese Characteristics.

This content appears as a courtesy of Horizons Corporate Advisory, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.horizons-advisory.com. 

The post 2022 China Employment appeared first on China Collaborative Group.

DPB-the highlights

As stated, the DPB comprehensively incorporates most of the governing norms on data protection.

Comprehensive Incorporation of Core Principles on Data Protection

There are several internationally recognised core norms for data protection. These include Fair and lawful processing of personal information, Purpose specification, Minimality, quality, Openness and transparency, Data subject participation, Sensitivity, Security and confidentiality and Accountability.[1]

The DPB mandates data controllers to process information fairly, in a transparent manner and subject to the data subject giving consent.[2] This suffices as lawful processing of personal data under the DPB. Section 19 of the DPB also requires specific treatment for sensitive personal data. The DPB requires purpose specification for the processing of personal data, minimality, quality.[3] Data subject participation is guaranteed under part IV of the DPB which outlines the rights of a data subject. Data security is comprehensively regulated under Part V of the DPB. In all this, it is easy to appreciate how comprehensive the DPB is in embracing the international norms and standard on data protection.

Cross-Border Transfers of Personal Data

The DPB adopts a comprehensive framework for cross-border transfer of personal data.[4] This is a great step towards ensuring data protection in cross-border online transactions. This is because the DPB effectively provides a platform against which cross-border flows of personal data can be regulated. This can be sharply contrasted from the old Electronic Transactions and Cyber Security Act, which did not contain any provisions regulating cross-border flows of personal data in electronic transactions.

The DPB can be commended on many fronts including the condition of making data flows primarily subject to a decision on the adequacy of data protection in the foreign country to which the data will be transferred. [5]  The DPB is progressive in that data transfers can be authorised where the foreign country has a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that afford an adequate level of protection.[6] This list is exhaustive enough to ensure sufficient facilitation of cross-border flows. In the absence of an adequate level of protection of any of the foregoing, a data transfer can be authorised under these conditions: if the data subject gives consent; if the processing is necessary for performance or conclusion of contract involving the data subject; and where consent cannot be practicably given, the transfer is nevertheless in the best interest of the data subject and the data subject would not have objected to it had he been asked.[7] These exceptions are broad enough to ensure the pace of international transactions is not unnecessarily hindered.

Data Protection by Design and Default

The DPB is also very progressive in that it accords the Authority with the power to publish directions on good practices and codes of conduct in data protection including the application of data protection principles by design and default in the processing of personal data.[8] Data protection by design is a concept that dictates that in light of progressive data protection regimes, companies must ensure that in their activities they incorporate data protection. Essentially since the companies must comply with data protection they must not wait for breaches before they address data protection but rather from the commencement of any action or process data protection must be incorporate and addressed.

On the other hand, data protection by default entails that for those computer products already released, there must be adherence to the highest standard of privacy to ensure data is kept safe and secure. Further, any data necessary for the operation of the product should only be kept for the minimum possible amount of time. The incorporation of these concepts in the DPB is a remarkable step in ensuring that privacy will be respected as technology gets more sophisticated.

The DPB clearly updates the data protection landscape in Malawi to comparable international standards.  This is indeed a shift in the right direction and will ensure that Malawi takes part in the information age. In my next article I shall explore some of the weaknesses in the DPB that may yet be improved to ensure comprehensive legislation is enacted.

Author: Gonjetso Dikiya LLB(Hons) University of Malawi; LLM candidate in Information and Communications Law, University of the Witwatersrand.

Head of Legal Services- Dispute Settlement Services

This content appears as a courtesy of Ritz Attorneys at Law, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit https://ritzattorneys.com/.

[1] Roos Anneliese ‘Core Principles of Data Protection’ 2006 CILSA 102-130.

[2] S. 18 of the DPB

[3] S. 23 of the DPB.

[4] Part VI of the DPB.

[5] S. 34(1)(a) of the DPB.

[6] S. 34(1)(a) of the DPB.

[7] S 36 of the DPB.

[8] S. 13 of the DPB

The post Insights into Personal Data Protection Bill appeared first on China Collaborative Group.

Deng Xiaoping initiated the Reform and Opening Up policy and opened the door to the world in 1978. As a result, China’s GDP rose from 367.9 billion yuan in 1978 to 15.45 trillion yuan in 2020 and lifted China from a third-world country to becoming a global economic superpower.

In the last 40 years, China’s significant economic growth has increased its role in the world both as a trade and investment partner and as an international Institution member in the United Nations (1945), World Trade Organisation (2001), and World Bank (1980). As a result, China holds a more influential and significant role in the world today than 40 years ago and more recently demonstrating a more mature and assertive stance.

Internationally, China has increased activism and assertiveness within international institutions (“Institutions”) in recent years. Specifically, China increased engagement in formulating policies and positions within the Institutions and increasingly utilised such Institutions as platforms to articulate its’ position. Equally, today’s institutions represent a broader range of countries with different priorities, needs, and interests than the founding members. Therefore, Institutions are increasingly evolving from the post-second world war era, in which the USA played a primary role in the founding principles of the Institutions.

Domestically, China has adopted a collection of legislation to strengthen the national sovereignty and interests, including:

• The Cyber Security Law of the People’s Republic of China effective from 1 June 2017
• The Export Control Law of the People’s Republic of China effective from 1 December 2020
• Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and other Measures, effective from 9 January 2021
• The Anti-Foreign Sanctions Law of the People’s Republic of China effective from 10 June 2021
• Data Security Law of the People’s Republic of China effective from 1 September 2021

For companies and individuals doing business in or with China, such legislation defines business operations – especially cross-border activities in several areas.

With a rapidly growing middle-class in China, the Chinese market for many companies is an increasingly important and growing market segment. Therefore, companies either invested or planning to invest in the Chinese market cannot disregard national sovereignty and interests’ compliance within their business operations. Below, we highlight the three key areas of national sovereignty and interests’ compliance applicable to companies doing business in or with China.

Cyber and data security

Cybersecurity for many countries is a top national priority to maintain secure networks and protect data from cyber-attacks.

In China, cyber security is centred on the security of the collected data, and companies are obliged to ensure networks collecting and processing the data are secure, monitored and shall not endanger national security or sovereignty.

The Cyber Security Law of the People’s Republic of China (“CSL”) and Data Security Law of the People’s Republic of China (“DSL”) are two primary legislation governing cyberspace and affect all companies working with data collection, processing, and management in China.

Cyber Security Law

The CSL establishes the compliance framework for network operators and is the overarching law for cybersecurity.

Under CSL, the network operator is defined as owners and administrators of the network and network service providers and obliged to ensure servers and data stored, transmitted, or created on such servers are secure and protected from cyber-attacks. Furthermore, the CSL outlines a Critical Information Infrastructure (“CII”), which subjects information crucial to national security and economy to store the collected and produced personal information and important data within the territory of mainland China. Any data required to be transmitted aboard shall be conducted under measures of the Cyberspace Administration of China.

Data Security Law

DSL sets forth an overarching framework to regulate data handling and management accordingly with national sovereignty, security, and development interests.

Under the DSL, the scope and definition of data include any record of information in electronic or other forms and imposes an extraterritorial application to China-related data handling and management.

Organisations and individuals are obliged to ensure and formulate data management policies, cooperate with public security and national security organs that require their data for national security or criminal investigation. Mismanagement of data, specifically those handling important data could face significant liabilities for both the company and individual.

Export Controls

Prior to the adoption of the Export Control Law of the People’s Republic of China (“ECL”), export controls were scattered across several laws. The ECL is the first comprehensive framework establishing export controls, a list of controlled items, and provisioning extra-territorial application to individuals and organisations outside of China who endanger national security and interests.

Under the ECL any export of the controlled items from an individual or organisation within the territory of mainland China to an overseas individual or organisation is subject to certain obligations including obtaining the relevant license from the State Export Control Authorities. Controlled items are defined under the ECL as the following:

• Dual-use items which can be for civil and military purposes or helping to improve military potentials, especially goods, technologies, and services in design, development, production, or application utilised for weapons of mass destruction;
• Military products comprising of equipment, special production facilities, and other related goods, technologies, and services utilised for military purposes;
• Nuclear materials, including nuclear equipment, non-nuclear materials used for nuclear reactors, and related technologies and services;
• Technical materials and data related to the items listed above.

For companies with an international supply chain or engaged in cross-border research and development, the ESL has a significant impact on exporting operations. For example, foreign items containing components assembled or manufactured in China could be deemed as controlled items or cross-border research or technology transfer, activities such as research, inter-company research (where the research and development centre are in China), or technology sales to foreign enterprises could be classified as related technical material and data – thus subject to export control.

Addressing sanctions

In 2021, China addressed the application of foreign legislation and sanctions to Chinese individuals and legal entities both within and outside of the territory of China. Two main legislation were enacted and established a stricter stance against foreign economic sanctions against Chinese organisations and individuals.

Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and other Measures

Early this year, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and other Measures (“Rules”) were promogulated by the Ministry of Commerce. The Rules provision a working mechanism for Chinese companies and individuals affected by extraterritorial foreign legislation that prohibit or restrict engagement in normal economic, trade, and related activities with a third State (or region) or its citizens, legal person, or other organisations. Affected individuals or entities are required to such matters to the State Council within 30 days. The State Council shall issue a prohibition order to oppose an unjustified extra-territorial application of foreign legislation and other measures.

Foreign companies in China especially multinationals should note the Rules stipulate any Chinese entities who comply with the unjustified extra-territorial application of foreign legislation subject to a prohibition order can be pursued in court.

The Anti-Foreign Sanctions Law of the People’s Republic of China

The Anti-Foreign Sanctions Law of the People’s Republic of China (“AFSL”) establishes the regulatory framework for foreign persons, both legal entities and individuals, acting against China’s national interests. Under the AFSL, organisations, individuals, and affiliated individuals who directly or indirectly participate in formulating, deciding, and implementing discriminatory restrictive measures against China shall be included in a Sanctions List (“List”). Those included in the List shall be subject to penalties including visa restrictions, prohibitions, or restricted conduct in transactions, cooperation, or other activities with Chinese organisations or individuals. Therefore, for foreign companies and individuals doing business in or with China, AFSL significantly impacts external conduct and communications, and public relations.

Whilst some may view a more assertive China negatively, China’s international significance and role cannot be disregarded. Specifically, in the business world, companies involved in the Chinese market should evaluate their full operations and third parties’ relations and update relevant policies or establish China-specific policies, otherwise risk legal penalties and economic losses. Unless companies forgo the China market completely, the recent legislative movements in strengthening national sovereignty and interests should be reflected in company operations and policies. Companies generating business from China cannot disregard China’s principles around national sovereignty and interests.

This content appears as a courtesy of Horizons Corporate Advisory, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.horizons-advisory.com. 

The post China’s assertive stance and the impacts for your company appeared first on China Collaborative Group.