Employee data privacy in Asia: untying the knotty issues

We held a webinar for clients with the same title earlier this month. The session attracted one of our highest attendances ever in Asia for a single seminar, demonstrating the interest level in the topic. As a result, we thought it would be useful to summarise for clients the main points we discussed - in relation to the use of automated recruitment tools, the implementation of whistleblowing helplines and employee share option schemes, the monitoring of employee behaviours/use of IT systems, etc, handling employee data in the context of internal investigations, and the response to data access requests made in conjunction with an employment dispute.

Data privacy in Asia has undergone a substantial overhaul in recent years, with new laws and new standards now embedded across the region that are on a par with the highest international norms.

These rules have materially increased the compliance burden on employers as well as the expectations from the employee side. While this recent build out of Asia’s privacy laws has demonstrably been influenced by the GDPR, in some cases these laws also contain unique requirements that differ from those in other regions, particularly in relation to cross-border transfers of data.

Recruitment and onboarding 

Employers are increasingly turning to AI and other automated tools in the recruitment process, using algorithms to scan applications, conduct chatbot interviews, conduct and analyse psychometric tests and other suitability screening, and there are even suggestions that the Metaverse could be used in future as a forum for virtual interviews.

Some of the key considerations as regards both privacy are:

• The adoption of these types of automated tools requires a privacy impact assessment (PIA) to be carried out in China and Indonesia, and this is also a recommended practice in Hong Kong, Japan, Australia and New Zealand. A PIA will also be required in Singapore if relying on legitimate interest or deemed consent as the legal basis for the processing. A PIA is a tool to identify privacy risks, determine the risk of legal non-compliance, review the availability of less privacy-intrusive alternatives and to adopt suitable measures to mitigate the remaining risks.
• The use of automated decision-making tools may also give rise to specific notification and transparency requirements over and above the scope of an organisation’s usual privacy notices. For example, in China an employer will have to specifically notify job candidates if an automated decision-making tool will be used in recruitment, be ready to explain decisions reached through the use of the tool, and also be prepared to offer a non-automated alternative if the candidate objects to its use.
• Engaging a third-party vendor may involve cross-border transfers of data (see more on this issue below). The employer will additionally be under an obligation in essentially all major Asian jurisdictions to ensure that the vendor processes the personal data in compliance with law and in accordance with the employer’s instructions, that the vendor has implemented appropriate security and retention practices, etc, and that employees are able to exercise their individual data subject rights as against the vendor.

Employers will be relying on the quality of the vendor’s tool and the reliability and representativeness of the data used to train it. While one of the main motivations for using AI in a recruitment process is often to introduce greater objectivity, there have been a number of high-profile incidents recently in which AI tools have been demonstrated to have been inadvertently programmed with in-built biases (see Freshfields’ blog on AI and gender discrimination). It is the employer who would likely face a discrimination claim arising from the adverse effects of a biased recruitment tool (not the provider) - as well as the reputational fall out - and such damage may not be capable of being properly indemnified either. It is therefore critical to diligence and stress-test the tool before implementation, and also to maintain active oversight of its operation. Having a sufficient understanding of the parameters of the tool will also be necessary to be able to line up privacy notices on terms that support obtaining the required consents.

Day-to-day processes

Data privacy obligations apply in many areas that employers may not be expecting: for example when implementing a new global whistleblowing hotline or a group wide employee share incentive plan. Both situations will inevitably involve the processing of employee personal data (often by third party vendors/ service providers), and when a multi-national company adopts a single global solution, the use and maintenance of such a hotline or share inventive plan is very likely to result in cross-border transfers of personal data as well.

Employers should consider the following:

• Do existing employee notices and policies sufficiently contemplate these new internal processes, transfers to third parties and outbound transfers of personal data? If not, it is very likely that employees will need to be presented with new notices. Within major jurisdictions in Asia, it is only China that has adopted a broadly-stated exemption for processing employee data. While some other countries have partial exemptions, in most Asian jurisdictions (except for Hong Kong, Japan and New Zealand), consent is the primary basis for processing personal data. Legitimate interests is only available as a basis for processing in Singapore, Indonesia, Thailand, Philippines and South Korea. Even in China, the burden will be on the employer to demonstrate that a particular processing activity is objectively necessary for implementing and managing its various human resource management procedures; and if unable to do so the employer would instead need to rely upon an explicit consent.
• If third parties are involved, for example an external facilitator of a whistleblowing hotline, or share plan administrator, does the company have the relevant employee consents or legal basis to transfer personal data to these entities? As explained above, specific contractual provisions in relation to data privacy will therefore need to be built into the service agreement between the company and the third party, or a separate data processing agreement entered into.
• Will there be any international transfers of personal data? Most major Asian jurisdictions regulate cross-border transfers of personal data. While in many jurisdictions in the region, a data transfer agreement will be sufficient to lawfully transfer data internationally, and only a handful of countries have introduced mandatory international data transfer clauses (namely, to our knowledge, China (with effect from 1 June 2023), Thailand (not yet published, but expected soon) and Indonesia (expected to be published within the two-year transition period for the Law on Personal Data Protection, which ends in October 2024)) - the situation in China is significantly more complex. In particular, organisations will need to obtain approval from the Cyber Security Administration to continue transferring personal data out of China if any one of three volume thresholds is exceeded (see our separate blog on the new standard contract for international data transfers).  

Other ASEAN countries have adopted the Model Contractual Clauses for cross-border data transfer. The ASEAN clauses are not mandatory but have been issued as a voluntary standard designed to ensure that transfers of personal data comply with the principles of the ASEAN Framework on Personal Data Protection (2016). Singapore’s PDPC has issued guidance encouraging the use of the ASEAN Model Contractual Clauses as one means to fulfil the relevant transfer obligations under the Personal Data Protection Act. The Hong Kong PCPD has also issued a set of recommended model clauses for cross-border transfer of personal data. These and the ASEAN Model Contractual Clauses can be modified and supplemented, provided that the terms of the model clauses are not overridden or contradicted.

Monitoring employee conduct

The monitoring of employee conduct - everything from using electronic door panels to monitor attendance at the office to more intrusive forms of monitoring of office spaces and the use of employee systems, as well as the adoption of productivity tools - is an intrinsically sensitive issue given the potential consequences that could follow for an employee. This is something we looked at in a previous blog ‘My algorithm boss is watching me’.

For employers, while the same basic data privacy principles will apply to employee monitoring as those discussed above (e.g. privacy notices, permitted legal basis for processing, PIAs, potential transfers of data to centralised data centres or other systems overseas, etc,) the risk of employee challenge is higher. And while the exemption to the consent requirement in China for human resource management ought to apply to many routine activities in a workplace, it is less clear cut whether the exemption would extend to the monitoring of an employee’s behaviour.

Therefore, to have confidence that employee consents will stand up to scrutiny, employers will want to reflect on whether the disclosure provided to employees about potential monitoring achieves a defensible standard of transparency in view of the potential objections employees may have. We are already seeing increased regulator attention in the EU on privacy notices and the clarity and specificity of information provided to individuals, and expect this trend to register across the Asia region before too long. For this reason, and since it is a fair assumption that any privacy notice is unlikely to have been widely read, it would be a sensible practice to reinforce the communication with special notices placed proximate to the activity that is being monitored: for example a notice on the log on screen of a device or placed in an area of the office that is being surveilled.  

Investigations and disciplinary proceedings

Data privacy issues will also need careful handling in the context of workplace investigations and disciplinary proceedings.

In an investigation of alleged employee misconduct or wrongdoing, an employer may wish to access and review employees’ emails or instant messages, and to access private devices as well as work devices.

Firstly, while statutory exemptions may exist in certain situations, an employer should not assume that an exemption will be available for the specific scenario in issue or that the exemption obviates an employers’ compliance burden completely. The scope and availability of exemptions will vary between jurisdictions, and there is often uncertainty around the ability to safely rely on exemptions, especially in relation to cross-border investigations or the investigation of matters that only give rise to liability in another jurisdiction (e.g. under the Foreign Corrupt Practices Act). Moreover, often only a partial exemption is provided from specific provisions of a law, or the exemption is subject to qualifications that will require careful judgment to apply.

• Is an employer permitted to image an employee’s personal phone? This is going to be difficult and depend on what is set out in a relevant ‘bring your own device’ or information security policy (in addition to privacy notices), as well as on how the employee has been using the personal device e.g. for work purposes through specific work-issue apps? However, an employer will often not have legal grounds to compel an employee to surrender a personal device. Also the balancing act between the legitimate interests of the employer (where this may provide a legal basis for the processing) and the encroachment into an employee’s privacy will be more delicate in the case of access to a personal device. And while the employer may be able to access certain applications or features on a device, mirroring the entire contents of the device may very well exceed what is permissible given that this will involve capture of non-work-related information. This will mean the employer will have to carefully consider the scope of any review exercise to ensure that it is reasonable and proportionate in the circumstances. Similar issues will arise if the employee has emailed personal documents from a private email account to a work email address, for example to be able to print those documents out.
• It should also be considered where employee records and other personal data collected during an investigation are stored. Information may be stored on an overseas server or document management system for review and retrieval. It is important to consider whether all applicable formalities and procedures have been satisfied for cross border transfers of personal data, as discussed above.
• What if the employee makes a data access request in the middle of a disciplinary process or an employment tribunal dispute? All major Asia jurisdictions have a right to access personal data. Data access requests are now routinely used in employment disputes (and commercial litigation more widely) - either before or after a formal claim has been lodged to obtain early disclosure or to gain leverage in settlement negotiations. The law on data access requests varies from jurisdiction to jurisdiction. Laws may include exemptions for ongoing disciplinary processes but may not continue to apply once the process has been concluded and a decision has been communicated to the employee. An exemption may also apply in respect of legally privileged materials in jurisdictions where that concept exists, but mere confidentiality alone may not be a sufficient ground to resist. Exemptions are less common for litigation per se or because the parties are in dispute in relation to the matters underlying the data the employee is requesting access to. On the other hand, employers may be able to push back if the employee embarks on a general fishing exercise without specifying clearly the category(ies) of information it believes exist that the employer is being asked to produce, and it may also be permissible for the employer to delete non-contextually relevant information. Wherever the employer is relying on an exemption to refuse to comply, it will need to carefully examine whether the grounds for the exemption are properly made out in the particular case, and whether the employer is required to give reasons for the refusal to comply or to maintain a record of its decision-making for any specific period of time.

Conclusion 

Given the increased focus of legislators and regulators on the handling of employee personal data, and the now sometimes significant sanctions that can be potentially imposed in relation to a breach, employers should ensure that their consents, notices, policies and procedures are fit for purpose in each of the jurisdictions in which they operate, and are adequately future proofed e.g. anticipate future transactions or workplace investigations, etc. Employers are advised to consider all new projects holistically so as to spot any potential data privacy angles and to work to address these compliance requirements at an early stage.

The briefing is only intended as general advice and should not be relied upon as legal advice applicable to any specific situation or circumstances. Foreign law firms are presently not licensed to practise PRC law. Accordingly, any references to, or discussions of, PRC law in this communication or any attachment are based on our understanding of publicly available PRC laws and regulations, our informal discussions with PRC authorities and our experience representing foreign companies in their business activities in the PRC.