Legal Compliance of Workplace Surveillance in China
A few months ago, a piece of rather interesting news in China raised debates about to what extent an employer can impose surveillance upon its employees in workplaces. The news reported that one major e-commerce company in China has internally announced sanctions upon some of its employees on the ground of excessive access to work-irrelevant mobile applications during work hours. The company was able to collect various data such like the length of access or quantity of data that has been exchanged by each particular employee’s use of his or her mobile phones to access certain applications (Tik Tok or online shopping applications) via the company’s internal wireless network. Those who support such an action argues that workplace surveillance is necessary to maintain the employment disciplines as well as the security. While others think such a surveillance scheme is only an undue intrusion to employees’ privacy.
No matter what stance to take, it is a fact that workplace surveillance has been an ordinary practice since long before. It is fair to say that employers have genuine needs to apply surveillance to ensure a safe and efficient workplace. Sometimes such surveillances are even mandatory by relevant laws. But as a matter of nature, surveillance upon employees is, more or less, a form of intrusion to employees’ privacy.
In China, the problem of workplace surveillance has long been addressed and discussed mainly as an employment law matter. Although there are not many relevant cases, the courts usually treat workplace surveillance as a part of the employer’s internal management and admit the legality of surveillance measures so long as the employer has included such a surveillance scheme in the internal regulation and such regulation has been adopted and circulated to the employees through proper procedures.
However, with the adoption and enactment of the Personal Information Protection Law (the “PIPL”) in the year of 2021, a new important dimension has been added when we consider this problem. Workplace surveillance has become more than a mere employment management issue.
I. Personal Information or Not?
Before we answer the question whether the information collected via workplace surveillance constitutes personal information under the PIPL, we shall first look at what kind of information are usually being collected and processed by employer via workplace surveillance.
§ Communication Information. Perhaps the workplace surveillance is most frequently applied to scenarios of all types of communication occurred in the workplace. Usually, information gathered from surveillance upon communication can be further categorized into “Traffic Information/Meta information” or “Contents Information”. Traffic information usually means information that generated from communication activities themselves. Such like the dial-in/dial-out number, length of access, length of conversation, e-mail address, website or IP address visited or quantity of data. While the “Contents Information”, as the word explains itself, means the contents that have been communicated through such communications.
§ Biometric Information. Biometric information is another important category of information that may be generated and processed by workplace surveillance, especially when an employer uses facial recognition, fingerprint recognition or CCTV system for security or other purposes.
§ Other Information. Such like real-time location information of particular employee.
Now, we shall turn to the question as whether the fore mentioned information will fall into the scope of “personal information” under the PIPL. The “personal information” is defined by the PIPL as any “information in relation to an identified or identifiable natural person that is recorded electronically or otherwise”. Like the concept of “personal data” under GDPR, “identified or identifiable natural person” and “in relation to” are the two most important building blocks of the concept of the “personal information”. However, in a workplace context, since employees are almost always “identified” to the employers, the part of “in relation to” will play a more important role here.
The word of “in relation to” itself is rather easy to understand, but the question as to what extent shall a piece of information be regarded as “in relation to” to a particular natural person is actually quite a difficult question and matters greatly in practice. Will a piece of information be regarded as personal information even if such an information only has a very remote or indirect relation to the particular natural person? Should information about an object or property owned by a natural person be deemed as “in relation to” such natural person? The essential question here is “what level of relevance does it require to render a piece of information to be personal information”?
The PIPL has not provided any further explanation about the question. But according to WP29’s “Opinion 4/2007 on the concept of personal data”, a piece of information will constitute “personal data” under GDPR if such information is “about a natural person” (the “content” element), or “for a natural person” (the “purpose” element) or “may have an impact upon a natural person” (the “result” element). The Content Element means a piece of information will be regarded as related to a natural person if such information is about a particular natural person while all surrounding circumstances shall be assessed. The Purpose Element means when a piece of information is used or likely to be used to evaluate or treat a natural person, then such information shall be treated as related to such natural person. Finally, the Result Element means when, after an assessment of all surrounding circumstances, a piece of information is likely to cause an impact on a natural person, it may be considered as “related” to such a natural person.
Based on the approach under GDPR, it is clear that information collected and processed by employer through workplace surveillance is very likely to fall into the scope of personal information. Because, first of all, the purpose of workplace surveillance is to monitor and evaluate behaviors of employees thus renders the “purpose element” exists in most cases. And, workplace surveillances are usually accompanied by measurements and consequences that may cause impact on employees, like the news that has been introduced at the beginning of this article, which will establish the “result element”. Still no need to mention that quite a part of the data collected through workplace surveillance are directly related to the employees. Therefore, employers shall be aware of the fact that workplace surveillances are not mere an employment law matter but may also be regulated by the PIPL.
II. How to Secure the Lawfulness Ground?
If implementation of workplace surveillance falls into the processing of personal information, then the next key question will be how to ensure a lawfulness ground for such processing.
According to the PIPL, in principle, processing of personal information will only be lawful if the data subject provides consent to such processing. However, consent will not be required where the processing of personal information is necessary for the conclusion or performance of a contract to which the relevant natural person is a party or is necessary to carry out human resource management, or where processing of personal information is necessary for the performance of statutory duties or obligations, or where processing of personal information is necessary to respond to public health emergency, to protect life, health and property safety of natural person in an emergency, or where processing of person information for the purpose of new report and public opinion supervision, or process disclosed personal information within a reasonable scope. And in the scenario of workplace surveillance, employers are very likely to rely on “consent” or “human resource management” to secure the lawfulness ground.
Because, unlike the GDPR, the PIPL does not exempt consent by date subject while there are “legitimate interests” for a processor to process personal information. Thus, obtaining consent from employees looks the most approachable lawfulness ground to be relied on. When rely on “consent”, according to the PIPL, the processor shall ensure that such consent is “explicitly and freely given”. But it is very debatable if a consent provided by an employee to its employer in an employment context will constitute a true consent. In GDPR, a consent must be “freely given”, “specific” and “informed” to be a true “consent”. And the word “freely given” usually means that the data subject had “genuine choice” at the time of consent and had the right to refuse or withdraw such consent. If an employee provides his or her consent only from a fear of any unfavorable treatment by the employer that may follow if he or she refuses to provide such consent, then such consent can hardly be regarded as a “explicitly and freely given”.
When rely on “human resource management”, the employers shall also keep in mind that not all workplace surveillances are necessary to carry out human resource management. For example, if an employer installed surveillance cameras to ensure the safety of the workplace, or monitor the employee’s use of network for the purpose of maintaining cybersecurity or to record employees’ movements upon certain files or documents to protect the trade secrets, it is questionable whether such surveillances can be regarded as a necessary measure to carry out human resource management.
After a lawful ground has been secured for workplace surveillance, employer shall further consider if the surveillance measurement has met the minimization principle. Article 6 of the PIPL says processing of personal information shall with clear and reasonable purpose and shall be directly related to such purpose, collect personal information in such a manner that will cause minimum effect to the natural person’s rights and interest within the minimum scope that is necessary to achieve the purpose of processing with any excessive collection of personal information.
In order to meet such minimization principle, employer shall keep the processing of personal information within reasonable scope by using measurements that are proportionate to the purpose of processing. The employer shall not carry out the surveillance in a relatively “intrusive” manner when there is only a relatively less important purpose to achieve or such purpose can still be achieved with a less intrusive manner.
For example, in the case of the news that has been mentioned at the beginning of this article, if an employer wants to avoid employees spending too much time on irrelevant mobile applications or websites, the employer can simply ban or restrict access to certain mobile applications or websites instead of monitoring employees’ activities of using the network. Banning access to certain mobile applications or websites can achieve the purpose with almost same effects without any necessary to process employees’ personal data or any intrusion to employees’ privacy.
Therefore, it is advisory for the employer to, before the implementation of workplace surveillance, carefully review its surveillance scheme to make sure that such surveillance cannot be substituted with other less intrusive method and such surveillance has been minimized in terms of scope, quantity, duration and storage.
IV. What to Inform?
No matter whether a consent by the data subject is required or exempted to process personal information, according to the PIPL, the processor shall always keep the date subject informed of the processing. Article 17 of the PIPL is clear about what shall be informed to the data subject before any processing starts. According to this article, a processor shall at least inform the data subject of the purpose of processing, method of processing, types of personal information to be processed and the duration of storage.
To ensure that employees are well informed of the surveillance measures is not only necessary to meet the transparency requirement. As mentioned above, while employers are most likely to obtain employees’ consent to build the lawfulness ground, under the context of employment whether a consent by an employee to the employer constitutes a valid consent under the PIPL remains questionable. Therefore, a proper and adequate notice or statement to employees regarding the surveillance measures before the employees render their consents may be a practical way to increase the likelihood that such consent will be deemed as a valid one.
Generally speaking, it is advisory for the employers to keep employees informed of the following information before they render their consents to be subject to the surveillance measures.
Rules and regulations of using employer’s network, computers and other devices. Those rules and regulations usually include the time, method and scope on using the employer’s network, computers and other devices. It must be clear about whether the employer’s devices can be used for private purposes and if there is any restriction on such use for private purposes.
Purposes and measures of the surveillance. The employer shall inform the employees of all the surveillance measures that are being applied or will be applied and purpose of each surveillance measure respectively. Also the employer shall keep the employees informed of the key facts about all surveillance measures including subject of surveillance, scope, technical method, duration and frequency. The employer shall make an individual statement to draw the employees’ attention if any sensitive personal information may be collected and processed as a part of any surveillance measure.
Possible Consequences that may arise from the surveillance. The employees shall be aware of the consequences, in advance, when any inappropriate behaviors were detected through surveillance measures and if there is any remedy that the employee could rely on.
Security measures. The employer shall also make an explanation to the employees about all the security measures both from organizational perspective and technical perspective that have been implemented to safeguard the information collected through surveillance measures.
Others. Such as the name of the processor if any surveillance measure is wholly or partly outsourced to a third party, possibility of transfer of personal data collected through surveillance measures to an overseas entity.
V. In the End
With the advancement of technology, surveillance measures with higher efficiency and less cost will continue to be added to the tool box, thus be more widely applied in the real life. But employers shall be aware of the fact that the adoption of the PIPL in China has added a new dimension to the regulation scheme of workplace surveillance. It will no longer be a mere employment law issue.
In the context of personal information protection, lawfulness requirement is the first question that any processor shall take into careful consideration. Although remain questionable, since the PIPL does not admit “legitimate interest” as one lawfulness ground, employers in China are likely to rely more on employees’ consent to meet the lawfulness requirement. Thus, it will be advisory for the employers to make a careful and prudent consideration before implementation of any workplace surveillance to avoid or at least reduce the legal compliance risk.