China: New challenges ahead for corporate compliance investigations under China's new Personal Information Protection Law

In brief

China has strengthened its commitment to protect personal information by adopting the new Personal Information Protection Law (PIPL 《中华人民共和国个人信息保护法》) which gives data subjects the power to control and determine how, with whom and for what purposes their personal information can be shared, analyzed or handled. Our Firm has previously released a more detailed discussion on the PIPL, which took effect on 1 November 2021.

In the context of compliance investigations, typical activities can include accessing and analyzing employees' personal information. The investigation team may also want to engage external professional assistance or share such information with head offices located outside China. Under the PIPL, these activities require general or specific consent from the data subject, which may not be feasible in light of the sensitive and confidential nature of an investigation.

In our client alert, we discuss how the new PIPL obligations, such as express consent, have created practical challenges for businesses seeking to conduct an internal investigation as part of their corporate compliance or internal controls program.

Key takeaways

  • Companies seeking to conduct an internal investigation are obliged to comply with the PIPL, which among other things, requires the express consent of a data subject where the processing of sensitive personal information or cross-border provision of personal information is involved.
  • Although the PIPL includes grounds which exempt an individual's express consent and excludes anonymized information from the definition of "personal information", these contain certain limitations and uncertainties.
  • When conducting an internal investigation, businesses should not solely rely on the statutory grounds of exemptions to overcome the requirements under the PIPL and should seek legal assistance to understand the relevant risks and limitations.
  • Businesses should proactively review and update their corporate compliance policies (e.g., whistleblower policy, investigation protocols and other internal control procedures) to ensure compliance with the new rules under the PIPL.
  • Companies should train employees and staff on the requirements under the PIPL and other data security law to ensure that they comply with the new laws in the execution of their duties.

In more detail

Scenarios where personal information may be accessed in investigations

In the context of a compliance investigation, it is inevitable for an investigation team to touch upon and review specific personal information, or even sensitive personal information1. Examples of activities involving personal information include:

  • Collecting employees' personal information (e.g., education and work history), reviewing records of work emails related to potential non-compliant matters or incidents, and using information provided by whistleblowers.
  • Obtaining sensitive information of employees, such as bank accounts, expense and reimbursement records and their location during relevant periods.
  • Accessing and processing personal information of third parties, such as business partners and customers.

It is worth noting that the PIPL imposes information protection duties, some of which are similar to the EU’s General Data Protection Regulation (GDPR), whilst the others are stricter than the GDPR, especially in the scenarios of third-party data access and cross-border transfer. Unlike the GDPR, the PIPL takes national security and public interest into consideration when regulating personal data protection, and grants certain powers to Chinese enforcement authorities (for more details please refer to our client alert here).

Statutory consent exemption

In practice, once an investigation has commenced, obtaining express consent from an individual who is under investigation to provide personal information becomes challenging and difficult. In addition to the express consent mentioned, Article 13 of the PIPL also establishes six grounds which exempt the requirement for express consent for processing personal information. We have extracted three exemptions which are relevant to compliance investigations - 1) implementation of human resources management, 2) performance of statutory duties, and 3) processing data that has been lawfully disclosed in a reasonable scope. However, we consider that these exemptions contain certain limitations and discuss these in more detail below. 

  • Implementation of human resources management — it is not clear that corporate compliance investigations can be recognized as a part of human resources management from a legislative or judicial standpoint. Furthermore, if an investigation requires the participation of external counsel and/or other service vendors, separate consent for transferring personal information to a third party is still mandatory under the PIPL. The same challenge will be encountered in relation to the transfer of personal information abroad (such as transferring personal data to a company's offshore headquarters for further review and/or decision-making).
  • Performance of statutory duties — Government enforcement authorities can process personal information without prior consent by invoking this exemption, but whether this ground can be extended to an internal investigation or audit remains unclear.
  • Processing data that has been lawfully disclosed in a reasonable scope — the scope of "disclosed information" is relatively limited2 - information that is only shared or circulated within the company may not qualify for such an exemption.

Based on the current rules, it may be difficult in practical terms to delineate the boundary between when express consent from the data subject may be required in an internal investigation, and when the above exemptions can be invoked. A company conducting an investigation will need to be aware of the limitations under the above exemptions and should not fully rely on these grounds to overcome the restrictions imposed by the PIPL. Failing to address these issues in advance may impact the credibility of an investigation or in a worst case scenario, may lead to the inability to continue the investigation.

Anonymising procedures

The PIPL excludes anonymized information from the definition of "personal information." Hence, anonymizing can provide an alternative approach when no general consent or separate consent can be obtained from the relevant data subjects. Nevertheless, such an alternative approach has its own limitations in light of the definition of "personal information" under the PIPL - any information that enables the identification of an individual may constitute personal information. For example, an employee may send out an email with his or her approval to a certain matter for which he or she is the only reviewer. Even if all information that can identify an individual, such as name and title, is redacted from the email, the email as a whole may still constitute personal information that can identify the employee.

More importantly, excessive anonymising may not help investigations. The first step of a compliance investigation aims at discovering non-compliant activities and the individuals involved. The outcomes rely on concrete evidence, which may contain personal information, and is thus against the nature of anonymization.


At the time of writing, the PIPL has not provided guidance for the handling of personal information in compliance investigations. We will provide a further update upon the release of any implementation rules and guiding interpretations. In the meantime, as mentioned in the key takeaways section above, businesses may wish to proactively take steps to ensure that the compliance programs of their Chinese operations are in compliance with the requirements under the PIPL.

1 According to Article 28 of the PIPL, sensitive personal data shall refer to personal data that, once leaked or used illegally, may easily infringe on the personal dignity of natural persons or endanger personal or property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts tracking and other data, as well as the personal data of minors under the age of 14.

2 According to the national standard "Information Security Technology - Personal Information Security Specification" (《信息安全技术 个人信息安全规范》, GB/T 35273-2020), disclosed information shall be the one that is shared and disclosed to the public by the subject voluntarily.


LOGO BM-FenXun bold-RGB (003)

Baker & McKenzie FenXun (FTZ) Joint Operation Office is a joint operation between Baker & McKenzie LLP, an Illinois limited liability partnership, and FenXun Partners, a Chinese law firm. The Joint Operation has been approved by the Shanghai Justice Bureau. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm.  This may qualify as “Attorney Advertising” requiring notice in some jurisdictions.  Prior results do not guarantee a similar outcome.

This client alert has been prepared for clients and professional associates of Baker & McKenzie FenXun (FTZ) Joint Operation Office. Whilst every effort has been made to ensure accuracy, this client alert is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by Baker & McKenzie FenXun (FTZ) Joint Operation Office.

Contact Information

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.