2021.10.20 WANG, Dongpeng、 LU, Zhen、 HE, Jing
In our previous client updates, we have introduced the concept of personal information and the basic principles and core rules for processing personal information under the Personal Information Protection Law (“PIPL”), which takes effect on November 1, 2021.
The PIPL also provides for the first time in China a definition of “sensitive personal information” in a national law. This update will discuss the types of information considered to be sensitive personal information and the special requirements for the processing of sensitive personal information. This update will also discuss a recent case that has been hailed the “The First Facial Recognition Case of China” and its potential impact on how employers should handle sensitive personal information of employees.
Under the PIPL, sensitive personal information is distinguished from general personal information by two key characteristics:
there is a high probability that the leakage or illegal use of the personal information would cause serious harm to the individual; and
the probable serious harm to the individual includes infringement of the individual’s dignity, or harm to the safety of the individual’s person or his/her property.
The PIPL lists certain types of personal information that are considered sensitive personal information, namely biometric information, religious beliefs, race or ethnic groups, medical and health data, financial data, location data, as well as all personal information of minors under the age of 14. The PIPL indicates that this list is not exclusive. Thus, government authorities and courts could have the right to deem additional types of personal information as being sensitive and thus subject them to higher levels of protection.
There is overlap between sensitive personal information and private personal information (the latter is a concept under China’s Civil Code), both of which include medical and health data, financial data, sexual orientation, location data, and undisclosed criminal records. Sensitive personal information focuses on the possibility of serious harm to individuals resulting from the information leakage or illegal use; private personal information focuses on information about an individual that is not known by others. For example, personal hobbies are private personal information. The leakage or the unlawful use of information related to personal hobbies would usually not cause serious damage to individuals. As a result, personal hobbies would generally not be considered sensitive personal information. In contrast, ID card information, ethnicity, race, and religious beliefs are sensitive personal information, because such information could be known to a wide number of people within certain scopes. So they are usually not considered to be private personal information.
The PIPL sets forth stricter requirements on the processing of sensitive personal information when contrasted with processing of general personal information. The stricter requirements are reflected from the following four aspects:
Under the PIPL, an employer may process sensitive personal information only if the processing is for a specific purpose and is fully necessary, which is a higher standard than required for the processing of general personal information. While the PIPL does not provide guidance on this higher standard, the Guo v. Hangzhou Safari Park case (as discussed below) sheds light on what may be required of employers in this regard.
Under the PIPL, when the legal basis for processing personal information is consent, this consent could likely be in a bundled format with a single expression of consent covering multiple types of processing. In contrast, when consent is the legal basis for processing of sensitive personal information, an information processor (e.g., an employer) would need to get “separate consent”. While the PIPL is silent on details of this requirement, this type of consent may require notification separately listing each type of sensitive personal information and each type of processing activity with corresponding consents for the employee to execute.
As discussed in a previous client alert, an employer has the right to process employee sensitive personal information without obtaining the separate consent from employees concerned if the employer has an alternative legal basis to process the sensitive personal information certain conditions set forth in law have been satisfied, such as the processing is necessary to carry out human resource management. However, employers should pay attention to the following points:
when collecting and processing sensitive personal information based on the necessity for carrying out human resource management, employers should take extra caution to ensure that necessity is the primary criteria for the processing;
keep close watch on the policy trends given that administrative and judicial authorities may limit the legal basis for processing sensitive personal information to separate consent only.
Under the PIPL, in addition to the information that an employer must disclose to an employee in regard to the processing of general personal information (e.g., processing purpose, contact information of processor), information processors processing sensitive personal information must inform employees of the necessity of processing the sensitive personal information and the “impacts of the processing on the rights and interests of the individual”. These notification requirements apply regardless of the particular legal basis that supports the processing of the personal information.
The PIPL requires the personal information processor to take more stringent measures to ensure the security of sensitive personal information. Under the PIPL and the Information Security Technology-Personal Information Security Specification (GB/T 35273-2020), the following security protection measures must be taken for processing sensitive personal information:
security measures such as encryption measures must be taken for the storage and transmission of sensitive personal information;
personal biometric information and personal identifiable information must be stored separately from each other;
under normal circumstance, no original personal biometric information may be stored (e.g., summaries of personal biometric information may be stored); and
prior impact assessment of sensitive personal information protection must be conducted and the records of the processing activities must be kept.
A landmark case addressing sensitive personal information was Guo vs. Hangzhou Safari Park, which was decided in April 2021 by the Hangzhou Intermediate People’s Court. While this case was a commercial dispute decided on the basis of the former General Principles of the Civil Law and the Consumer’s Rights and Interests Protection Law, and was decided before the effective date of the PIPL, the case gives an important indication on how employers can be expected to treat employee sensitive personal information.
In April 2019, Guo Bing purchased two annual passes from the park for himself and wife, who was identified in the court decision only as Ms. Ye. In accordance with the park’s annual pass rules, Guo submitted his and Ye’s fingerprints and photos. The park later changed the entrance procedure of annual pass holders from fingerprint recognition to facial recognition, and asked Guo and Ye to enter their facial images into the park computer system. The park also attempted to use the photos Guo and Ye had submitted for the new park entrance system.
Guo and Ye refused this request, deeming facial recognition images as highly sensitive matters of personal privacy. After the park refused to give him a refund for the cost of the annual passes, Guo sued for damages and deletion of the personal information that was submitted.
The second trial immediate court upheld a lower court the decision of first trial court that the park did not have the unilateral right to change the park entrance method and thus was liable for breach of contract. In addition, the park’s attempt to turn the photos of Guo and Ye into facial recognition information exceeded the original purpose for the collection of the photos and therefore violated the “principle of justification” (which has been supplemented in the new Civil Code and PIPL by “principle of necessary”). As a result, in addition to awarding damages, the court ruled that all facial recognition information including the photos of Guo and Ye should be deleted. Moreover, as the park stopped using the entrance method of fingerprint recognition, the fingerprint information should also be deleted.
Facial recognition information is typical sensitive personal information. As a renowned scholar has pointed out, facial recognition information belongs to “core privacy”, and it is often related to other types of private personal information (e.g., some bank accounts are tied to facial recognition information). Furthermore, facial recognition information can be obtained without direct contact with or even knowledge of the individual concerned and the underlying characteristics of images cannot be easily changed without surgery. These factors make facial recognition information highly sensitive, requiring a high level of legal protection. Any personal information processor must inform and obtain separate consent from an individual before processing facial recognition information.
The park had implemented an entrance procedure based on fingerprint recognition, which was agreed to by Guo. Thus, with an existing, agreed entrance procedure in place, it was not necessary for the park to collect additional sensitive personal information for a new entrance procedure. This principle of necessity is also a key requirement in the PIPL. Therefore, employers should not collect employee facial recognition information unless it is necessary to achieve the processing purpose. In particular, employers should carefully take necessity into consideration when deciding whether to adopt facial recognition as the method of recording employee attendance or building access.
The park attempted to turn the photos of Guo and Ye into facial recognition information, which is beyond the purpose of the collection of the photos. Use of facial images shall not be permitted if the purpose of use is different from the purpose for which the images are collected. If it is necessary to use facial images of employees for a different purpose, employers should first inform the employees of the new purpose and obtain their separate consent.
Based on the above discussion, we suggest that employers pay attention to the following important issues when processing employee sensitive personal information in order to mitigate legal risks.
Employers should conduct data mapping of employee personal information that needs to be processed for conducting human resource management to identify sensitive personal information involved. In so doing, employers can further meet the special requirements for processing sensitive personal information.
Although employers may process employee sensitive personal information without obtaining consent if an alternative legal basis is applicable (such as based on the necessity of conducting human resource management), employers should take extra caution and have necessity as the primary criteria in determining the scope of the sensitive personal information to be processed. Because facial recognition information could be deemed to belong to core privacy interests, employers must not only fulfill adequate disclosure obligations, they may also be required to obtain employee separate consent in most employment scenarios.
Regardless of the legal basis for processing the sensitive personal information, employers should fulfill not only the disclosure obligations to process general personal information, they should also inform employees of the necessity of processing sensitive personal information and the impacts of the processing on the rights and interests of the employees.
When processing employee sensitive personal information, employers should adopt more stringent security measures in accordance with the requirements under the PIPL and the Personal Information Security Specification.