Alert
Alert
03.19.20
In the past two months, China has been fighting against the outbreak and spread of the novel coronavirus pneumonia (COVID-19). During that process, a wide range of Chinese government authorities and other entities at all levels (including airports, railway stations, landlords/property managers, hotels, hospitals, neighborhood communities, etc.) have been collecting a notable amount of personal information, such as travel records and family members who stay together. In particular, employers in China (including both domestic and multinational companies) are required by different authorities and entities (such as the public security bureau, landlords and property managers, residence committee, etc.) to collect personal information of employees and submit that information to relevant third parties to address current public health concerns.
Most recently, due to the infectious nature of the virus, it is rapidly spreading throughout the world. Since China has not suspended flights from most countries, people can still travel to China. After China successfully contained the spread of the virus within most of the cities, people from other countries and regions have been traveling/returning to China where they primarily reside or work. Therefore, despite the decline of new cases, Chinese authorities are on high alert following an uptick of imported infection cases from overseas. In the last few days, the Civil Aviation Administration of China and the local governments in major cities (such as Beijing, Shanghai, Guangzhou and Shenzhen) have launched strict measures to screen and quarantine all passengers traveling from abroad. During that process, airport and local government authorities will collect personal information from all international passengers arriving in China.
In addition to the prevention and control of the virus, the public is also concerned about the widespread practice of information collection for public health purposes and potential misuse of their information. Since much personal information are collected in electronic form, the Cyberspace Administration of China (CAC) released the Notice on the Protection of Personal Information when Using Big Data for Joint Support and Defense (CAC Notice) on February 9, 2020. It emphasizes the key principles in connection with the collection and use of personal information for purposes of containing COVID-19.
This alert addresses some of the most frequently asked questions with respect to the collection and use of personal information during the epidemic under Chinese law.
Q: What Government Entities Have the Authority to Collect Personal Information for Public Health Purposes?
Based on (i) the Law on the Prevention and Treatment of Infectious Diseases, (ii) the Emergency Response Law and (iii) the Regulations on Responses to Public Health Emergencies, the following entities have the authority to collect and report information concerning public health emergencies:
Article 1 of the CAC Notice provides that only entities that are authorized by the National Health Commission in accordance with (i) the Cybersecurity Law, (ii) the Law on the Prevention and Treatment of Infectious Diseases and (iii) the Regulations on Responses to Public Health Emergencies are allowed to legally collect personal information for purposes of containing COVID-19. Other entities are not allowed to collect personal information without obtaining consent from individuals.
Q: Can Employers Collect Personal Information from Employees for Containing COVID-19?
Yes. Article 8 of the Employment Contract Law allows an employer to request the employees to provide information which is directly related to the employment contract, and the employee must truthfully provide the same. Article 54 of the Employment Law provides that employers shall provide employees with labor safety and health conditions that meet national regulations and necessary labor protection articles. As such, employers have the right to collect personal information from its employees that is necessary for the employers to maintain a safe and healthy working condition.
In addition, the Law on the Prevention and Treatment of Infectious Diseases requires all entities and individuals to accept the preventive and control measures adopted by disease and control institutions and medical institutions for the investigation, testing, collection of samples of infectious diseases and for isolated treatment of such diseases, and they must provide truthful information about the diseases. Employers are obligated to collect any such information from its employees as required by the authorities for the purpose of containing COVID-19.
Q: What Information Can Be Collected? For What Purposes?
If the employer collects personal information from its employees as required by the disease and control institutions and medical institutions, the scope of that information should be limited to details that are necessary for the prevention, control and treatment of COVID-19. For example, basic information regarding the identity of the individual (e.g. name, age, gender, etc.), location information (e.g. recent travel records, means of transportation, place of living, etc.) and health information (e.g. any suspected symptoms of COVID-19) are considered necessary for the prevention, control and treatment of COVID-19.
The CAC Notice provides that collection of personal information for the purpose of containing COVID-19 should comply with the principle of data minimization, which means that the target individuals should be limited to diagnosed patients, individuals with suspected symptoms and individuals who have been in close contact with those who have been infected with COVID-19.
The CAC Notice also provides that unless consented by the data subject, sensitive information such as name, age, ID number, telephone, home address etc. shall not be disclosed unless that information has been desensitized and solely for the purpose of containing COVID-19.
If the employer voluntarily collects personal information from its employees, that information must be directly related to and necessary for the performance of the employment contract.
If the employer wants to collect additional information, it must obtain prior consent from the employees and shall use such personal information only for the purpose and in the manner consented by the employees.
Q: Can Employers Transfer Personal Information Collected to Third Parties (such as the public security bureau, property management of the office buildings, etc.) ?
As noted above, if an employer is required by authorized government entities to collect personal information of its employees for the purpose containing COVID-19, the employer can transfer such personal information to the authorized government entities.
However, if another third party (such as a property management company where the employer maintains its office) requests the employer to provide personal information of the employees, that third party must prove that it is authorized by the relevant government entities to request the employer to collect and provide personal information of its employees. Otherwise, the employer and the employees can refuse to accept the request. Nevertheless, if the employees give express consent, the employer is allowed to transfer any such information to the third party, provided that the third party shall use such personal information only for the purpose and in the manner consented by the employees.
Q: What If an Employee Refuses to Provide Personal Information?
The employer should inform the employee of (i) the legal basis for collecting the relevant information (e.g. Employment Contract Law, the Law on the Prevention and Treatment of Infectious Diseases, etc.), (ii) the purpose of such collection (e.g. maintaining safe and healthy working condition, government efforts to contain COVID-19, etc.), and (iii) potential consequences of refusing to do so (e.g. disciplinary measures as provided in company policies, administrative or criminal liabilities, etc.).
If the employee refuses to do so, the employer may require the employee to work remotely and determine whether the refusal constitutes any violation of company polices and take disciplinary measures.
If the information is requested by the authorized government entities, the employer should report such refusal to the authority for its further action.
Q: What If an Employee or a Passenger on International Inbound Flight Provides False Information or Conceals Important Information While Such Information is Collected for the Purpose of Containing COVID-19?
Article 77 of the Law on the Prevention and Treatment of Infectious Diseases provides that where an entity or individual violates the provisions of this Law, thus resulting in the spread and prevalence of infectious diseases or causing harm or property losses to another person, that entity or individual shall bear civil liability (i.e. monetary compensation).
Article 51 of the Regulations on Responses to Public Health Emergencies provides that if any entity or individual fails to perform its reporting obligation, withholds, delays or makes a false report, obstructs authorized personnel from carrying out their duties, refuses authorized professionals to enter the site of emergency, or fails to cooperate with any investigation, sampling, technical analysis and inspection, the relevant responsible person shall be imposed an administrative or a disciplinary sanction according to law. If such conduct violates the Regulations of the People’s Republic of China on Administrative Penalties for Public Security and thereby constitutes a violation of public security administration, the public security authority shall impose a punishment.
Criminal liability may be implicated if the individual’s conduct is prohibited and punishable by the Criminal Law. For example, the Supreme People’s Court of China, together with four other government entities, issued a circular on March 16, 2020 which indicates that certain conducts by passengers arriving in China from abroad could implicate criminal liabilities, such as (i) refusing to implement health control measures requested by the Customs in accordance with the relevant laws and regulations; (ii) concealing important epidemic information or making false declarations; and (iii) failing to obtain necessary approval and knowingly importing items that may cause transmission of infectious diseases.
Conclusion:
The above listed questions are the key concerns of multinational companies and Chinese domestic companies and are not exhaustive. Along with the development of the coronavirus spreading situation, the Chinese government and the relevant authorities have been updating policies and requirements on personal information collection to mitigate the emerging risk to public health.
Multinational corporations doing business in China and Chinese domestic companies should be aware of the regulatory requirements for personal data protection in China for the collection, use, transfer and retention of personal information of employees. Also, employers should remind employees traveling back to China to comply with the information disclosure requirements of the relevant entities authorized by the Chinese government when more and more China-based personnel return to China.
Pillsbury’s experienced crisis management professionals are closely monitoring the global threat of COVID-19, drawing on the firm's capabilities in supply chain management, insurance law, cybersecurity, employment law, corporate law and other areas to provide critical guidance to clients in an urgent and quickly evolving situation. For more thought leadership on this rapidly developing topic, please visit our COVID-19 resources page.