LawFlash

Beijing Courts Find WeChat Records Inadmissible if Recovered Without Employee Consent

April 19, 2023

As the data protection regime in China continues to evolve, so do the individual privacy rights of employees. A Beijing appellate court recently rejected an employer’s ability to use—without the employee’s informed consent—deleted WeChat data from a company-issued device in a legal proceeding to support the termination of an employee’s employment contract by demonstrating misconduct. The Beijing appellate court’s view is likely to be followed more broadly, so employers should adjust data protection policies and consents to reflect broader forms of personal data that the company may collect.

It is increasingly common for employers to provide employees with company devices (such as laptops, mobile phones, and/or tablets) for work-related purposes. To protect proprietary information, many employers will use a number of different methods to monitor the activities on the company devices and preserve/recover data.

A company will often seek to use the data obtained from a company device as evidence when there is an internal investigation or dispute, particularly when the matter involves the employee to whom the company device is assigned.

In a recently reported case, the Beijing courts ruled that deleted WeChat records of an employee on a company computer cannot be admitted if recovered without the employee’s consent, [1] which poses new challenges to the collection/processing of employees’ personal data in China for various purposes, including human resources management, internal investigations, and dispute resolution.

CASE BACKGROUND

The company in this case (Defendant) terminated the employment contract of the employee (Plaintiff) on the ground that the employee materially violated the Defendant’s policy. According to the Defendant, the Plaintiff engaged in a number of non-compliant activities. One of the allegations is that the Plaintiff handled personal matters during working hours and lied to the Defendant about this by colluding with another employee (Co-worker).

According to the judgments published online, the Defendant submitted WeChat records regarding the conversation between the Plaintiff and the Co-worker obtained from the company computer used by the Plaintiff to prove the alleged wrongdoing. The judgments do not reveal any detail regarding the conversation.

When questioned how the Defendant obtained the WeChat records, the Defendant first responded they recovered the deleted data on the company computer used by the Plaintiff (without consent). Although the Defendant later claimed that the WeChat records were collected by another employee with the Plaintiff’s consent, they failed to provide any documentation to support this contrary account.

The Plaintiff claimed that the termination was unlawful and sought financial damages for wrongful termination among other claims. In response to the WeChat records with the Co-worker, the Plaintiff challenged the legality of such evidence.

BEIJING COURTS’ DECISIONS AND OPINIONS

The trial court (namely, Beijing Fengtai District People’s Court) found in favor of the Plaintiff and supported all his claims. With regard to the WeChat records between the Plaintiff and the Co-worker, the trial court refused to admit these records, as the Defendant failed to prove that they were lawfully obtained.

Notably, after analyzing and opining on all the disputed issues, the trial court wrote a separate paragraph in the judgment specifically commenting on the collection of deleted data by the Defendant. The trial court pointed out that regardless of the contents of the deleted WeChat records from the company computer, they constitute the Plaintiff’s personal information and should have been recovered and collected only after the Plaintiff provided his informed consent in a voluntary and explicit manner.

According to the trial court, it was inappropriate and against the core principle of personal information protection to recover the data deleted by the Plaintiff and use the recovered data as evidence to support the Defendant’s disciplinary action and its defense in the litigation without the Plaintiff’s consent. The trial court went further to criticize the Defendant and requested that it make improvements and adjustments to enhance its awareness of personal information protection and strictly fulfill its responsibilities to protect its employees’ rights and interests.

The Defendant filed an appeal to the Beijing Second Intermediate People’s Court (Beijing Intermediate Court). While the appellate court did not further discuss the admissibility of the recovered WeChat records in its ruling, it affirmed the trial court’s decision in February 2022.

BEIJING COURT’S ELABORATION ON PERSONAL INFORMATION PROTECTION IN EMPLOYMENT CASES

Following its affirmation of the trial court’s decision, the Beijing Intermediate Court conducted a study based on the above case, and its case analysis article won an award within the national court system. In the article, the Beijing Intermediate Court further elaborated on the boundaries for employers to lawfully process the personal information of employees. Some of the key guidelines are summarized below.

  • In labor dispute cases, courts should review an employer’s personal information processing activities based on their legality, legitimacy, and reasonableness and determine the admissibility of the evidence obtained through such activities accordingly.
  • Informed consent is a fundamental factor when evaluating legality. While signing the labor contract can be regarded as a form of “general consent” provided by the employee for processing certain personal information necessary for the purpose of employment management, the processing of any personal information beyond this purpose (such as the recovery of deleted WeChat data for the purposes of disciplinary action or litigation in the instant case) or the processing of any sensitive personal information requires informed consent.
  • Legitimacy should be evaluated based on the purposes of the processing.
    • First, the purposes for collecting the personal information and for subsequently processing the personal information must be compatible. For example, the Beijing Intermediate Court holds the view that installing surveillance software on the company laptop to obtain information at any given time violates this principle as it lacks a clear and specific purpose for using the collected data. In addition, if the employer uses the employees’ medical information originally collected to protect them for the contrary purpose of setting unachievable work or production targets in order to weed out and support the termination of the worst performer based on poor performance, it also violates this principle as the purposes for the collection and the subsequent processing are incompatible.
    • Second, the purposes for personal information processing must be acceptable. For example, while it is legitimate for a company to equip a company car with the GPS system or to install surveillance cameras at a workplace to make sure that the company assets are properly used and safely kept, the above actions would be unlawful and any evidence collected by these means should be inadmissible if the purpose is to pry into the privacy of the employee or to collect evidence more broadly for potential litigations or arbitrations that may arise in the future.
    • Third, the intended processing of personal information must be relevant to employment management. For example, while the Beijing Intermediate Court finds it necessary for a restaurant to collect health information from its cook or waiters/waitresses to ensure that they do not have any infectious diseases preventing them from performing their job duties, it believes that health information of the restaurant’s accountant is irrelevant to the performance of his/her work and therefore should not be freely collected by the employer.
  • Reasonableness should be evaluated based on whether the processing is proportionate. Employers should collect personal information only to the minimum extent necessary for achieving employment management purposes.

OTHER COURTS’ ATTITUDE TOWARDS SIMILAR ISSUES

The Beijing courts’ ruling in the instant case is similar to that of the Shanghai courts in an earlier case reported in August 2021. In the Shanghai case, it was reported that an employee diverted business opportunities for self-enrichment, and the employer sought damages from the employee by submitting the call log and audio recording(s) recovered and collected from the company-issued cell phone.

While the employer argued that it had the right to collect the call log and audio recording(s), as the cell phone was a company-issued device, the Shanghai court found this evidence illegal and inadmissible, as the employer failed to prove either of the following facts: (1) it disclosed in advance that it would record the telephonic conversations made through the company cell phone and would recover data on that phone; and (2) it obtained consent from the employee to collect/recover relevant data. Notably, the appellate court upheld the trial court’s decision.

Notably, an appellate court in Zhongshan City, Guangdong province favored the employer on a similar issue in its ruling in February 2021. [2] In that case, the employer filed a civil claim against its former employees for infringement of trade secrets. The evidence submitted by the employer included WeChat records collected from the company computers used by the employees through a third-party surveillance software installed on these computers.

The trial court dismissed the employer’s claims without discussing the admissibility of the WeChat records. However, the appellate court admitted the WeChat records and overturned the trial court’s decision based on the grounds that (1) there is no serious harm to the employee’s rights and interests given that the surveillance software is installed on the company computers as opposed to the employees’ personal computers and that the surveillance on the company computers has been carried out (through that software) during working hours; and (2) the purpose for collecting the WeChat records is to prove that the employee engaged in trade secret infringement and to safeguard the employer’s legitimate rights and interests.

The above cases demonstrate that the attitudes of the courts differ as to whether WeChat or phone call records collected from company-issued devices without employee’s consent can be admitted as evidence in a civil legal proceeding in China. Notably, the decision in the Guangdong case was issued by the appellate court before the effective date of the PRC Personal Information Protection Law (PIPL) (namely, November 1, 2021).

While it remains to be seen whether more courts will follow the approach adopted in the Beijing and Shanghai cases described above, the fact that the recent article published by the Beijing Intermediate Court was selected as an award-winning article by the PRC Supreme People’s Court suggests that this approach is more likely to be adopted in the post-PIPL era.

TAKEAWAYS

The Beijing court’s recent ruling and case analysis article (along with the Shanghai courts’ decision) described above suggest that evidence involving employees’ personal information collected without consent may not be admitted in a civil legal proceeding, even if the data is collected from the company device assigned to the employee at issue.

In addition, the collection and processing of personal information without the employee’s consent may violate the PIPL and could therefore subject the company (and the in-charge officers, where applicable) to legal liabilities under the PIPL. This poses significant challenges to companies in China with respect to the collection and retention of business-related data involving the employees’ personal information. The issue is further complicated by the record-keeping requirements under foreign laws that may apply to certain business operations in China (such as the requirements to retain, collect, and produce business records residing on personal devices or in ephemeral messaging applications mandated by the US Department of Justice).

To mitigate risks, companies in China may consider taking the following actions:

  • Carefully assess the scope of data to be collected and retained based on the business needs and the requirements and restrictions under applicable laws.
  • Review internal policies and ensure that the following are covered:
    • Which devices and systems should be used to store and transfer business-related data (companies should designate the working systems and devices controlled or owned by them as the primary tools and platforms for these purposes)
    • Whether and under what circumstances employees may use personal devices or accounts for business purposes (the use of personal devices or accounts should be restricted; for example, personal devices should not be used unless company-controlled working systems are installed, and personal WeChat accounts, if allowed, should only be used for non-substantive communications with relevant communication records properly archived in company-controlled working systems)
    • Where and how business information and documents are stored and archived and the retention periods
    • The disciplinary actions for non-compliance
  • Ensure that the aforementioned policies are properly implemented:
    • Complete the applicable consultation process under PRC employment law for the new/updated policy regarding the collection, processing, transfer, and retention of personal data of employees;
    • Perform periodic audits and improve the implementation of the personal data protection policy based on any issues identified during the audits or by other means.
  • Obtain informed consent from employees by providing a properly drafted privacy policy or similar disclosure documents covering all intended data collection/processing activities and properly document the employees’ consent (especially for the separate consent as required under certain circumstances).
  • Take necessary measures to comply with other data protection requirements (such as the requirements for data protection impact assessments under certain circumstances) under the PIPL and other PRC laws and regulations.
  • Consider adopting and requiring employees to use the corporate versions of messaging applications to engage in any company business, as these corporate versions generally provide the company with an independent record of the communications.

As the data protection regime in the PRC continues to develop and the employee privacy rights become stronger, companies need to update and revise their policies to keep up and ensure they are equipped to address issues that arise, particularly in the event of misconduct.

NAVIGATING THE NEXT.

Sharing insights and resources that help our clients prepare for and address evolving issues is a hallmark of Morgan Lewis. To that end, we maintain a resource center with access to tools and perspectives on timely topics driven by current events such as the global public health crisis, economic uncertainty, and geopolitical dynamics. Find resources on how to cope with the globe’s ever-changing business, social, and political landscape at Navigating the NEXT. to stay up to date on developments as they unfold. Subscribe now if you would like to receive a digest of new updates to these resources.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:


[1] See (2021)京0106民初21840号; (2022)京02民终1072号.

[2] See (2020)20民终6958.