CHINA: An Introduction to Corporate Investigations/Anti-Corruption (PRC Firms)
Corporate Investigation and Data Compliance Practices in the New Legal Environment:
新法律环境下的公司调查与数据合规实务:
Anti-corruption is one of the basic ways for companies to improve management and strengthen risk control, among which, internal investigation is an important means to achieve the purpose of anti-corruption within the institution, reduce or make up for losses and strengthen corporate control. Corporate anti-corruption investigation has gone through its preliminary stage involving such traditional ways as employee interviews and third-party inquiries, then developed to the stage of monitoring employee behaviour and conducting electronic data investigations using various technologies. Currently, it has entered into the mature stage where diversified and integrated investigation methods are used.
反腐败是公司改善管理、加强风险管控的基本途径之一,其中,公司内部调查是实现自我反腐、减损补损、强化控制的重要手段。公司反腐败调查经历了传统的员工访谈、第三方询证的初级阶段,到用各类技术手段对员工行为进行监测、开展电子数据调查的发展阶段。目前已经步入了调查方式多样化、一体化的成熟阶段。
In this mature stage, corporate anti-corruption investigations face various challenges in the new legal environment. With continuous improvement of the Personal Information Protection Law (“PIPL”) and its related specific regulations, rules, interpretations and judicial cases, China has strengthened its efforts to protect personal information in cross-border investigations and evidence collection activities, thereby increasing the difficulty of conducting such investigations. How to conduct effective internal investigations by companies, their external lawyers and third-party investigators while ensuring the legality and effectiveness of the investigation procedures, methods and evidence collection has become a prominent challenge in practice.
在成熟阶段,公司反腐败调查面临着新法律环境下的各项挑战。随着《个人信息保护法》及其相关配套细则、释义、和司法案例的不断完善,我国对于跨境调查和取证活动中的个人信息保护力度加强,由此增加了调查难度。公司及公司外聘律师、第三方调查人员如何在确保调查程序、手段、证据收集的合法性及效力的前提下,开展行之有效的内部调查,成为了实务中凸显的难题。
1. Personal Information Protection Regulations Faced by Anti-Corruption Investigations in the Mature Stage:
成熟阶段公司反腐败调查面临的个人信息保护规制:
During corporate anti-corruption investigations, it is unavoidably necessary to investigate various interactions between employees and business partners. One might need to know the whereabouts, property status, consumption expenditure records, communication and chat records of involved employees, and even information such as the financial status of their close relatives, real estate holdings and vehicles purchased and used. Such information should belong to the personal information that Chinese citizens should be protected under the Personal Information Protection Law, including their whereabouts, financial accounts and property status that should be specially protected as sensitive personal information.
公司反腐败调查中,不可避免地需要调查涉案员工与商业伙伴之间的各种交往行为,需要掌握涉案员工的行踪轨迹、财产状况、消费支出记录、通讯聊天记录,甚至包括员工近亲属的财务状况、持有的不动产、购买使用的车辆等信息。这些信息在《个人信息保护法》项下均属于中国公民应当受到保护的个人信息,包括行踪轨迹、金融账户、财产状况等属于更是属于应受到特别保护的敏感个人信息。
If collected personal information is used, made public, provided to others, or unintentionally leaked without the consent of the subjects of this personal information, it may violate the provisions of the PIPL and may seriously violate Article 253.1 of the Criminal Law, constituting the crime of infringing on citizens’ personal information.
如果未经个人信息主体同意,无论将收集的个人信息自行使用、予以公开、提供给他人或者无意中泄露,都可能会违反《个人信息保护法》的规定,严重的可能触犯《刑法》第253条之一的规定,构成侵犯公民个人信息罪。
When multinational corporations conduct cross-border investigations against their Chinese employees involved in such cases, they may face more complex legal issues related to personal information protection either due to the fact that foreign institutions are directly collecting information within China, or that corporations in China are transferring the results of the investigation containing personal information collected within China to overseas headquarters for data processing.
跨国公司对其中国涉案员工开展跨境调查时,因可能涉及境外机构直接在中国境内收集信息,或者需要将在中国境内收集的包含个人信息的调查情况跨境传输至境外总部等数据处理活动,而面临更加复杂的个人信息保护法律问题。
2. Practical Observation:
实务观察:
Once an internal investigation is initiated, companies and their employees involved hold completely opposing positions, and conflicts of interest arise between the company and the employees involved. Obviously, from the perspective of multinational corporations conducting investigations, especially in complex cases involving a large number of employees during a long time-span, companies often hope to collect employees’ data as soon as possible while trying to avoid alarming the employees. Companies usually believe that collection of personal information in investigations is necessary for human resource management activities, so employees’ general consents obtained by the signing of an employee handbook or privacy policy constitutes sufficient consent. On the other hand, employees often believe that the act of collecting their personal information during internal investigations would require separate consent under the PIPL due to the fact that such investigations always involve processing, external provision and cross-border transmission of sensitive personal information, and therefore, the company must obtain separate consent from the employees.
一旦启动内部调查,公司和涉案员工的立场是完全对立且存在绝对利益冲突的。显然,从跨国公司开展调查的立场出发,特别是在涉及人数较多、时间跨度较长的复杂案件中,公司往往希望尽快收集员工数据,同时又不希望打草惊蛇。公司通常认为调查中个人信息的收集系基于人力资源管理活动所必需,因此公司通过要求签署员工手册或隐私政策以取得员工概括同意已构成足够授权。但是,员工往往认为内部调查中收集其个人信息的行为,因涉及到敏感个人信息的处理、对外提供和跨境传输根据《个人信息保护法》应当取得单独同意的情形,必须另行取得单独同意。
In internal investigations, obtaining separate consent from employees is fraught with difficulties. Firstly, to collect separate consent from employees will inevitably take up a lot of time due to employees’ refusal to cooperate, resulting in delaying the investigation period or causing the investigation activity to stagnate. Delaying the investigation for a long time is a major problem for the company, which may lead to irreversible consequences such as loss of evidence. Secondly, based on the sensitivity of the investigation, it is often impossible to inform employees of the overseas recipient’s name, purpose and method of processing and the type of personal information in accordance with the PIPL. Informing employees of such information basically means that the investigation purpose will be unsuccessful.
在内部调查中,向员工获得单独同意困难重重。一是向员工收集单独同意,必然将由于员工的拒绝配合占用大量时间,进而导致拖延调查周期或者使调查活动停滞不前。久拖不决对公司调查是大忌,可能导致证据灭失等不可逆后果。二是事实上基于调查的敏感性,往往不可能实现按照《个人信息保护法》的要求,向员工告知(境外)接收方的名称、处理目的、处理方式、个人信息的种类等,告知这些信息基本意味着调查目的将会落空。
3. Practical Solution:
破题之道:
We have noticed in some recent cases that multinational companies have begun to adopt various flexible ways to try to address this new challenge in practice. For example, when conducting investigations, companies will make efforts to limit evidence collection activities within the country, provide limited and non-sensitive personal information to the headquarters for decision-making and to isolate the work of evidence collection from the subsequent cross-examination, interviews and negotiations. In addition, in internal management, multinational corporations have begun to pay more attention to obtaining consent for processing their employees’ personal information in advance. When using personal information during investigations, companies have paid more attention to the objects, timing and methods of disclosure, and focus on protection and confidentiality of employees’ personal information to prevent improper disclosure and publication or use in areas beyond the scope of the investigation.
我们注意到在实务中已经有部分跨国公司开始采取各类灵活方式试图应对这一新挑战。例如,开展调查时尽量将取证活动限制在境内,仅将有限且脱敏的个人信息提供给总部用于决策,将取证工作与后续质证、访谈、协商工作进行隔离等。此外,在内部管理中,跨国公司开始更加注重事前取得员工个人信息授权,公司调查在使用个人信息时,将更加注意披露的对象、时机和方式,注重对员工个人信息的保护和保密,防止不当泄露和公开或在调查工作所需之外的领域使用。
At present, there is no comprehensively effective solution to balance the effectiveness of corporate investigations with due protection of the personal information of employees involved. This itself is like a contest: for employees involved in an investigation, the situation has changed from only being able to passively cooperate with the company’s investigation to now having the “shield” of personal information protection; for companies, it has changed from the previous, almost unrestricted, collection of evidence to the need to pay more attention to deploying legal methods; for lawyers or other third-party investigators, this new kind of legal environment and changes in the regulatory requirements also pose new challenges to conducting investigations.
目前,如何平衡公司调查的有效开展和涉案员工的个人信息保护尚无全面有效解决方案。这本身就是一场博弈:对涉案员工而言,情况从原本的只能被动配合公司调查,到现在有了个人信息保护这个“盾牌”;对公司而言,从原本的证据收集不受限,到现在需要更加注意采取合法的方式、方法;对律师或其他第三方调查者而言,这种新法律环境和监管要求的变化亦对相关调查工作的开展提出了新的挑战。