1. To further define the Jurisdiction
1) Considering the registration place of an employer may be different from the place where the employer is actually located, the 2017 Version added that the arbitration committee of the main place where the employer is actually located shall have the jurisdiction over it.

2) To explicit the rules of multiple choices over the jurisdiction: where one of the two parties applies for arbitration to arbitration committee at the place where the labor contract is performed and the other does so at the place where the employer is located, the labor dispute shall be subject to the jurisdiction of the former. If there are multiple places where labor contracts are performed, the arbitration committee that first accepts the request shall have jurisdiction. If the place where labor contract is performed is not clear, arbitration committee at the place where the employer is located shall have jurisdiction.

2. Canceling the hearing of the courts in dealing with jurisdiction protest, namely, where a party files a protest over the jurisdiction, the arbitration committee shall review the protest, if the protest is supported, the arbitration committee shall transfer the case, if not, the arbitration committee shall reject the protest in written.

3. Adding the rules for application to extend time limit for evidence presentation, which means any party can apply to the arbitration committee for extending time limit for evidence presentation.

4. Adding the ruling of “One Disputed Matter, One Time Arbitration”, namely that for a notice of rejection issued by the arbitration committee, or during the process of arbitration or litigation, or mediation, adjudication or judgment has taken effect, the applicant applies for another arbitration based on same facts, reasons and claims, then such application shall not be accepted.

5. Adding the reasons for suspension of cases, mainly for the situation that any party fails to exercise the civil rights normally, or suffer from force majeure, or the situation that the case is pending due to the trial of another case.

6. Adding summary procedures, namely that it clarifies the applicable circumstances and not applicable circumstances, the procedural requirements on the summary procedures.

However, a comprehensive knowledge of this topic is very important in managing the relevant risks. Enterprises shall get to know 2 key aspects: 1) which regulations on the protection of “PI” are related to its operation; 2) how to reduce the relevant legal risks.

From June 1, 2017, the newly released laws and regulations on the protection of “PI” and internet security include: “Cybersecurity Law”, “Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens’ Personal Information” (hereinafter referred to “Interpretation”), “Provisions on Administration over the Internet News Information Services” and rules for the implementation. In view of the current laws and those newly released laws and regulations, enterprises could reduce legal risks from the aspects in regulating the collection, use and transfer of “PI”.

Firstly, the main principles concerning the collection of “PI” include the principle of legally collection, the principle of obtaining consent in advance, and the principle of necessity.

For the principle of legally collection, which means that nobody shall obtain “PI” by illegal means, such as purchase, or hack. According to “Interpretation”, criminal punishment shall be imposed if illegal procurement, sale or provision of more than 50 pieces of information concerning geographic location, content of correspondence, credit history, and financial assets of an individual.

Article 22 of “Cybersecurity Law” prescribes that where network products and services have the function of collecting users’ information, their providers shall explicitly notify their users and obtain their consent. In practice, in order to have a more comprehensive knowledge of the users’ experience, or develop potential users, some enterprises may have to collect “PI” of users or potential users. While collecting “PI”, enterprises shall obtain the consent of the relevant users or potential users by reasonable methods. Meanwhile, as introduced in the beginning, more and more enterprises tend to use internet platform or APPs to manage employees’ “PI”. Although “Information Security Technology — Guidelines on Personal Information Protection of Public and Commercial Service Information Systems” (hereinafter referred to as the “Guidelines”) stipulates that the subject of personal information shall be deemed consentient when he or she raises no clear objection. However, considering that China attach importance to the protection of “PI” (especially a growing voice of the demand for “Personal Information Protection Law”), it is recommended that enterprises should be more careful. For example, while collecting “PI”, an enterprise could set a button on the registration page on website or in an APP. The button shall state as “I have read and agree to the terms of use and privacy policy”. The registration will be accomplished only when the user clicks the button. This procedure could be deemed as the user has given consent to the enterprise for collecting “PI”.

Regarding the principle of necessity, the “Guidelines” clearly stipulates it as the principle of minimum information necessary for the performance of tasks. Therefore, whether it is employees’ information or information of users/ potential users, the enterprise should only collect information that is within the range of minimum information necessary for the performance of tasks that is consistent with the purpose.

Secondly, the use of “PI” is controlled mainly from two aspects:
(1)The limitation of the purposes of use
“Guidelines” stipulates that any enterprise shall not change the purposes of “PI” handling to process, use or transfer when the relevant subject has no knowledge of such change, and shall delete “PI” involved within the shortest period of time after the handling purposes are fulfilled.There is an incorrect opinion that many enterprises believe “PI” collected legally by themselves are their own property, so they can use “PI” at their own doctrine.

(2)The reasonable information protection measures
According to “Cybersecurity Law”, network operators shall take technical measures and other necessary measures to ensure the security of “PI” they have collected, and prevent “PI” from being divulged, damaged or lost. When “PI” is or might be divulged, damaged or lost, they shall take remedial measures immediately, notify the users in a timely manner in accordance with relevant provisions and report to relevant competent authorities. In practice, enterprises should take strict encryption measures for “PI” stored by the network platform or APPs, to prevent internal staffs from disclosing illegally or third-party from stealing; the persons who have the right to access to “PI” shall be limited to internal staffs and/or third parties who must to know those information; in addition, enterprises shall conduct periodic safety assessment to storage devices. In practice, when “PI” is divulged, enterprises shall notify users in a timely manner, so that users can take remedial measures immediately. Enterprises shall report to relevant competent authorities, with the inspection of law enforcement agencies.

Further, it is noted that “Cybersecurity Law” has prescribed for the first time that “PI” collected within the territory of China, if it shall be sent abroad, a security assessment shall be carried out according to the measures formulated by the national Internet information department in conjunction with the relevant departments of the State Council. Therefore, “PI” collected by enterprises should be stored in China. If “PI” has to be sent abroad, enterprises shall conduct the examination and approval procedure.