By Art Dicker, Qiao Peng, and Connie Chen
In 2021, the People’s Republic of China’s legislature enacted the Personal Information Protection Law (PIPL), presenting a significant challenge for internal investigations within the jurisdiction. Although PIPL often draws comparisons to the European Union’s General Data Protection Regulation (GDPR), certain provisions of PIPL are even more rigorous, especially concerning the transfer of personal data and national security scrutiny in cross-border internal investigations.
At the outset, a specific complexity arises from the lack of contemplation regarding internal investigations by the drafters of PIPL. Not surprisingly, the concept of internal investigations was not specifically addressed in the law nor in official commentary on the law. A general exception related to human resources management was introduced during the final draft of the PIPL. This absence of provision for corporate internal investigations, compounded by the lack of implementing regulations and cases, has resulted in a significant degree of legal uncertainty.
This briefing will focus on two critical aspects of how PIPL impacts cross-border investigations in China:
- Establishing a lawful basis for processing personal information upon initiating an internal investigation, and;
- Lawful procedures for exporting personal data from China, either for communication with an overseas party regarding an internal investigation or for use as evidence before a foreign court.
- LAWFUL BASIS FOR PROCESSING
Article 13 of PIPL outlines seven lawful bases for processing personal data, comparable to Article 6 of GDPR. Although the default approach requires individual consent, one must explore other alternative lawful bases if consent is unobtainable, deemed involuntary, or withdrawn by the data subject of an investigation.
- Article 13(1): Consent
The primary requirement for the collection, processing, or transfer of personal data is the consent of the data subject. Without consent, the internal investigation may be hindered from the very beginning. This is the most common lawful basis for processing personal information. Companies may try to get consent from employees during onboarding, which at the time would be more innocuous and readily obtainable. While blanket consent may be sought during onboarding to fulfill notification obligations, an argument remains that more specific separate consent is needed when the specific situation arises down the road. In addition, a potential issue may arise when seeking this consent after an employee has left the company.
In some instances, PIPL mandates separate, specific consent for actions like exporting personal information or sharing personal information with a third party. Such consent is separate and should not be confused with Article 13(1) consent as the lawful basis for processing personal information.
Meanwhile, although obtaining consent is the standard practice, it carries two inherent risks:
Right of Withdrawal: Article 15 of PIPL entitles the data subject to withdraw consent at any time. Any processing activities conducted prior to the withdrawal of consent are not affected by the withdrawal itself. However, a personal information handler must delete the personal information upon withdrawal, which of course can be problematic.
Voluntary Consent: Within the context of internal investigations, it can be challenging to ascertain whether the employee’s consent obtained by the company is genuinely voluntary. In recognition of the perceived imbalance between the company and the employee, a consent may be invalidated if an individual is coerced or if refusal leads to unfair treatment or adverse effects.
- Article 13(2): Human Resources Management
When grappling with the challenges of obtaining separate voluntary consent and the right of withdrawal from the data subject, it is vital to carefully consider other lawful bases for processing personal information. Article 13(2) of the PIPL offers a human resources management exception, permitting the processing of personal information “where necessary to conduct human resources management in accordance with lawfully formulated labor rules and structures, as well as lawfully concluded collective contracts.”
Article 13(2) has been referenced in the discussion, but there is doubt whether such internal investigations would qualify as human resources management. Opinions remain divided due to the late introduction of Article 13(2) in the legislative process and the absence of publicly available cases interpreting the clause.
Proponents of classifying internal investigations as human resources management point to the legislative history of PIPL. Legislators identified “performance evaluation” at work as a challenging scenario for obtaining individual consent in the non-binding scholarly work. Consequently, they found that the human resources management exception is both reasonable and necessary. Some believe that internal investigations fall within the realm of performance evaluation, and therefore, Article 13(2) can serve as the lawful basis for internal investigations.
However, this interpretation of legislative intent might be seen as overreaching, especially when the specific purpose of processing personal information—such as employee termination or disciplinary actions—is ambiguous and not yet determined. It could be argued that both can be viewed as aspects of performance evaluation, but one may disagree. Moreover, this interpretation does not extend to cover the personal information of third parties, for instance, related party suppliers that might be implicated in an investigation over breaches of management fiduciary duties, such as side deals initiated by a local general manager.
Despite the existing legal ambiguity, companies are highly recommended to explicitly cite “human resources management” as the ground for collecting and processing employees’ personal information in official guidelines and documents, including labor contracts and employee manuals and make specific references to internal investigations as part of that description. This justification should also be included in investigation notices and legal holds to provide clear grounds for processing personal information before Chinese authorities and courts.
- Article 13(3): Statutory obligation
Article 13(3) of PIPL permits the processing of personal information without the data subject’s prior consent, provided that it is ‘necessary to fulfill statutory duties and responsibilities or statutory obligations.’ If an internal investigation is linked to fulfilling a statutory obligation under Chinese law, Article 13(3) might provide a lawful basis for processing personal data without obtaining consent. However, Article 13(3) seems to have restricted applicability if the investigations primarily concern breaches of company policies without a direct relationship to statutory obligations (i.e. internal housekeeping for violation of company policies which do not clearly trigger obligations under statutes such as the FCPA).
- Overseas vs. Domestic
A further consideration involves the scope of this exception, particularly whether it encompasses non-Chinese legal obligations. In Cadence Design Systems v. Syntronic AB (2022), the Federal District Court for the Northern District of California interpreted Article 13(3) to include not only Chinese but also foreign statutory obligations. The Court found that the Chinese company may transfer personal data without separate consent and ordered the defendant to produce the evidence at issue for inspection in the United States. This interpretation was similarly adopted by the Federal District Court for the Southern District of New York in Owen v. Elastos Foundation (2023).
This broader interpretation of Article 13(3) by the U.S. court raises serious concerns over the U.S.’s perceived extraterritorial jurisdiction in China. The prevailing interpretation within China, of course, tends to restrict the scope of Article 13(3) to Chinese domestic legal obligations only. As will be further discussed in the context of exporting personal data, Chinese authorities have shown marked resistance to such efforts at cross-border discovery and are likely to dissent and closely scrutinize such cross-border data transfers.
- Article 13(6): Disclosed Information
The processing of disclosed information represents another lawful basis during an internal investigation. According to Article 13(6) of PIPL, consent is not obligatory “when handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of PIPL.”
- Social Media
This exception introduces uncertainty concerning the definition of ‘disclosed information’. One area of ambiguity concerns whether an employee’s publicly available social media posts can be collected and used as evidence in an internal investigation without prior consent. In non-binding legislative documents, lawmakers appear to set a rather stringent threshold for personal information to qualify as disclosed information. They assert that the data subject must fully recognize that they are disclosing their personal information to the public and foresee consequences arising from such disclosure. Arguing that an employee published social media posts with the expectation that these posts might later be used as evidence against them in an internal investigation could be challenging. Courts may also evaluate the circumstances in which the information was disclosed, considering factors such as the nature of the social media platform, the privacy settings of the account, conditions for accessing the page, and so on.
Another point of ambiguity stems from the term “reasonable scope.” From the limited cases available, courts tend to align their interpretation with the general principles found in Article 5 of PIPL – legality, propriety, necessity, and good faith. In addition, the courts may balance the interests of the parties involved. However, Article 5 also prohibits handling personal information in “misleading, swindling, coercive, or other such ways,” and this prohibition may pose additional risks in an adverse internal investigation.
Although anonymized data is not one of the lawful bases enumerated in Article 13, Article 4 of the PIPL excludes anonymized information from the definition of “personal information,”. The question arises regarding how helpful anonymous information can be for internal investigations, considering it is difficult to be used as evidence in disciplinary actions or litigation after the investigation.
- EXPORT OF PERSONAL DATA
While the first section addressed data processing, this section focuses primarily on the procedures necessary to export personal data obtained through internal investigations from China to other jurisdictions. The consideration of legal complexities goes beyond the Personal Information Protection Law (PIPL), encompassing various interrelated legal frameworks.
Preceding the PIPL, legislation such as the Civil Procedure Law (2021) and the Securities Law (2019) has already imposed restrictions on providing documents and materials to foreign judicial or law enforcement bodies without the authorization of the Chinese authorities. The introduction of the Cybersecurity Law (CSL, 2017), Data Security Law (DSL, 2021), and PIPL (2021) has expanded these restrictions to encompass a broader range of foreign recipients and additional phases of data processing.
In conjunction with the CSL, DSL and PIPL, the State Council, the powerful Cyberspace Administration of China (CAC) and other authorities have issued various implementing regulations and guidelines that introduce further nuances and hold substantial practical significance.
Cross-border data transfer can be more expansive than one initially anticipated. Examples include Chinese whistleblowers reporting to overseas entities and Chinese entities re-exporting data provided by overseas parties. Given the potential ambiguities, a broader interpretation of the scope may be advisable to mitigate legal risks.
- National Security
Unlike GDPR, China’s data legislation, including PIPL, is driven not primarily by privacy concerns but by national security. Chinese authorities employ a “holistic view of national security,” which encompasses commercial practices. Particular care must be taken in investigations involving governmental bodies, state-owned enterprises, or strategic industries, as seen in recent national security crackdowns on Western consulting firms.
Relevant statutes include the Protection of State Secrets Law (2010), the National Security Law (2015), and the Counter-espionage Law (2023). While personal information in a commercial context is usually not considered a state secret, there may be increased risk when dealing with state-owned companies in strategic industries. Though approval for data transfer is theoretically possible from regulators, it is often challenging to obtain in practice.
- Separate Consent
Exporting personal information requires satisfying two conditions as per Articles 38 and 39 of PIPL: the data must be necessary for business, and separate consent must be obtained. While the former can be reasonably achieved in an internal investigation through adherence to principles such as purpose limitation and data minimization, the latter demands particular attention. The blanket consent obtained during employee onboarding may be insufficient. A separate consent specifically for cross-border data transfer during an internal investigation is advisable.
Whether separate consent is necessary under exceptions to consent in Article 13 of PIPL, such as human resources management, remains unsettled. Although the prevailing academic and practical view suggests that separate consent may not be required if there is an exception to consent in Article 13, the lack of official interpretation or court case supports a cautious approach. To enhance legal certainty, obtaining separate consent from the data subject is recommended where practical.
- Security Assessment
The Security Assessment by CAC is the first mechanism for exporting personal information. This assessment involves complex procedures at both the local and national, potentially requiring up to three months for completion. While choosing other mechanisms for data export might be more suitable, if available, a diligent self-assessment of the need for security assessment remains essential to ensure compliance. The requirement for a Security Assessment arises under the following circumstances:
- Important data
A Security Assessment is obligatory if data gathered during an internal investigation is classified as “important data.” If not, it shall be referred to as “personal information.” Though the term “important data” is not used in the Personal Information Protection Law (PIPL), it is found in the DSL. CAC further defines important data as information that, “if altered, destroyed, leaked, illegally acquired or illegally used, etc., may harm national security, economic operations, social stability, public health or security, etc.,” as outlined in Article 19 of the Measures for the Outbound Data Transfer Security Assessment (Security Assessment Measures, 2022).
- Critical Information Infrastructure Operator (CIIO)
CIIO refers to operators of “important network infrastructure, information systems, etc., in important industries and sectors such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defense science, technology, and industry, etc., as well as where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy and people’s livelihood, or the public interest,” according to Article 2 of the Critical Information Infrastructure Security Protection Regulations (CIIO Regulations, 2021).
Like important data, any personal information transfer by a CIIO mandates a Security Assessment.
- Number of Individuals
A Security Assessment is also required when large quantities of individuals’ data are being transferred according to Article 4 of Security Assessment Measures, with thresholds set at 10,000, 100,000, or 1 million individuals, depending on the nature and sensitivity of the information. This requirement may not be a major concern for an internal investigation targeting only a few employees, as the transfer of massive personal information of one or a few individuals would not trigger the Security Assessment in and of itself.
- Technical Certification or Standard Contract (SC)
If there is no requirement for a Security Assessment, two less complicated mechanisms for exporting data include a Technical Certification provided by CAC or a standard contract (SC) between the data exporter and recipient. However, in an internal investigation context, neither is an ideal option. Technical Certification is often challenging, and very few Western companies have obtained it. As for SC, a U.S. court or government agency would be unlikely to sign as an end recipient, thereby limiting its effectiveness.
- BLOCKING STATUTES
Chinese blocking statutes, including the PIPL, can create significant obstacles regarding the export of personal information to law enforcement agencies during internal investigations and subsequent proceedings. Article 41 of the PIPL provides that “without the approval of the competent authorities of the People’s Republic of China, personal information handlers may not provide personal information stored within the mainland territory of the People’s Republic of China to foreign judicial or law enforcement agencies.” As evidenced in cases like Cadence Design Systems v. Syntronic AB (2022) and Owen v. Elastos Foundation (2023), many companies find themselves caught between U.S. discovery laws and Chinese blocking statutes.
The concerns extend beyond the PIPL. Article 36 of the DSL shares similar wording with Article 41 of PIPL, and other legal provisions further complicate the matter. For example, Article 177 of the Securities Law restricts providing documents to foreign securities regulatory bodies (such as the SEC) for investigations or as evidence. Similarly, Article 4 of the International Criminal Judicial Assistance Law (2018) prohibits the provision of certain evidence materials to foreign countries. Although these blocking statutes offer a potential exit via approval from China’s regulators, it is likely that obtaining such approval will be slow and challenging.
Finally, another unresolved question arises regarding whether information initially exported for an internal investigation may later be transferred to a foreign authority if it should have been known that such information was likely to be handed over at some point.
It should be apparent by now that there are no clear answers to many of the questions raised in this discussion. Careful consideration should be given to balancing competing regulatory obligations, the potential for challenge and lack of cooperation from relevant employees versus resolving a difficult matter quickly to get a company back to running a compliant business.
Companies should understand how personal data is processed at their operations in China, what their approach to internal investigations is, and how that might conflict with China data regulations. With these information companies can then adjust internal structures or prepare compliance measures.
 Stanford University’s DigiChina Project provides an English translation of PIPL (https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/).
 See legislative papers. NPC Observer provides an English summary of legislative history (https://npcobserver.com/legislation/personal-information-protection-law/). See, for instance, Constitution and Law Committee of the National People's Congress, Report on the Results of Deliberation of the Personal Information Protection Law of the People’s Republic of China (Draft) (Aug. 17, 2021); Constitution and Law Committee of the National People's Congress, Report on the Suggestions for Revision of the Personal Information Protection Law of the People’s Republic of China (Third Draft for Review) (Aug. 19, 2021).
 Yang Heqing, Interpretation of the Personal Information Protection Law of the People's Republic of China 46-47 (Law Press China 2022).
 Cadence Design Sys. v. Syntronic AB, 21-cv-03610-SI (JCS) (N.D. Cal. Jun. 24, 2022.
 Owen v. Elastos Found., 19-CV-5462 (GHW) (BCM) (S.D.N.Y. Jan. 11, 2023.
 Cheng Xiao, Interpretation of the Personal Information Protection Law of the People's Republic of China 250-251 (China Legal Publishing House 2021).
 The similar approach can be found in European Data Protection Board, Guidelines 8/2020 on the Targeting of Social Media Users, Version 2.0 (2021).
 Important secondary legislation and guidelines include: Critical Information Infrastructure Security Protection Regulations (State Council, Effective Sept. 1, 2021); Measures for the Outbound Data Transfer Security Assessment (CAC, effective Sept. 1, 2022); Measures for the Standard Contract for the Outbound Cross-Border Transfer of Personal Information (CAC, effective Jun. 1, 2023).
R&P China Lawyers is a full-service law firm with a strong data compliance practice. The data privacy, employment and compliance/investigations teams work hand-in-hand to advise companies how to remain compliant with China’s data privacy laws with cross-border operations and supports the development of internal and external compliance systems. They also represent companies that are the target of a complaint or government investigation and assist with general compliance matters. For more about our work, please email Mr. Art Dicker ([email protected]), Ms. Peng Qiao ([email protected]), Connie Chen ([email protected]) or your usual contact at R&P China Lawyers.
A significant contribution to the writing of this article was also made by Yvan Pan during his time at the R&P Shanghai office.