January 30, 2023

Volume XIII, Number 30


January 27, 2023

Subscribe to Latest Legal News and Analysis

Final Part 3 - Three Weeks On: What We Know about The Enforcement of China’s Cybersecurity Law

Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment.

On May 8, 2017, the Supreme People’s Court of China and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”).  The Interpretation examines the provision in China’s Criminal Law, which prohibits illegal provision of personal information, as well as illegally obtaining personal information through theft or other means.

The Interpretation defines “personal information” generally as “various types of information, whether recorded by electronic or other means, that can be used separately or in combination with other information to identify a natural person.” This definition is largely consistent with the definition in the Cybersecurity Law, but it also adds an individual’s financial records and location information to the enumerated list of personal information.

Under the Criminal Law or the Interpretation, the illegal provision of personal information includes the provision of personal information to a specific person or company or to disclose such information online or via other means. Even if the personal information is lawfully collected, if the data subject does not consent to the provision, the conduct may lead to serious criminal penalties for both the company and the responsible individual(s), if a company is involved in the crime. This clause does not apply if the data has been de-identified such that identification of a natural person is not possible.

Obtaining personal information unlawfully refers to the situations where a company or an individual obtains citizens’ personal information by purchasing, accepting, exchanging, or collecting the information during the process of performing one’s duties or providing services in violation of “relevant rules and regulations.”  Collecting personal information without consent is thus viewed as a crime.

Individuals or companies that commit the offense under “serious circumstances” are subject to imprisonment for up to three years and/or a fine. “Serious circumstances” include but are not limited to those in which:

  • the personal information (especially a person’s location information) is used for crime;

  • the defendant illegally obtains, sells, or provides personal information above a specified threshold amount;

  • the illegal income is over RMB 5,000; or

  • the defendant commits the offense within two years of a prior offense.

Individuals or companies that commit this offense under “particularly serious circumstances” are subject to imprisonment of three to seven years and a fine. “Particularly serious circumstances” include but are not limited to those:

  • causing death or serious injury; or

  • causing significant economic loss or adverse social effects.

Part 1 - Three Weeks On: What We Know about Enforcement of China’s Cybersecurity Law

Part 2 - Three Weeks On: What We Know about Enforcement of China’s Cybersecurity Law

© 2023 Covington & Burling LLPNational Law Review, Volume VII, Number 173

About this Author

Yan Lou, Regulatory and public policy lawyer, Covington
Of Counsel

Yan Luo advises clients in a broad array of regulatory matters in connection with international trade, cybersecurity and antitrust/competition laws in the U.S., EU and China.

With previous work experience in Washington, DC and Brussels before relocating to Beijing, Ms. Luo has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Theodore J. Karch, Covington, intellectual property attorney

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online...