May 24, 2019

May 24, 2019

Subscribe to Latest Legal News and Analysis

May 23, 2019

Subscribe to Latest Legal News and Analysis

May 22, 2019

Subscribe to Latest Legal News and Analysis

Final Part 3 - Three Weeks On: What We Know about The Enforcement of China’s Cybersecurity Law

Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment.

On May 8, 2017, the Supreme People’s Court of China and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”).  The Interpretation examines the provision in China’s Criminal Law, which prohibits illegal provision of personal information, as well as illegally obtaining personal information through theft or other means.

The Interpretation defines “personal information” generally as “various types of information, whether recorded by electronic or other means, that can be used separately or in combination with other information to identify a natural person.” This definition is largely consistent with the definition in the Cybersecurity Law, but it also adds an individual’s financial records and location information to the enumerated list of personal information.

Under the Criminal Law or the Interpretation, the illegal provision of personal information includes the provision of personal information to a specific person or company or to disclose such information online or via other means. Even if the personal information is lawfully collected, if the data subject does not consent to the provision, the conduct may lead to serious criminal penalties for both the company and the responsible individual(s), if a company is involved in the crime. This clause does not apply if the data has been de-identified such that identification of a natural person is not possible.

Obtaining personal information unlawfully refers to the situations where a company or an individual obtains citizens’ personal information by purchasing, accepting, exchanging, or collecting the information during the process of performing one’s duties or providing services in violation of “relevant rules and regulations.”  Collecting personal information without consent is thus viewed as a crime.

Individuals or companies that commit the offense under “serious circumstances” are subject to imprisonment for up to three years and/or a fine. “Serious circumstances” include but are not limited to those in which:

  • the personal information (especially a person’s location information) is used for crime;

  • the defendant illegally obtains, sells, or provides personal information above a specified threshold amount;

  • the illegal income is over RMB 5,000; or

  • the defendant commits the offense within two years of a prior offense.

Individuals or companies that commit this offense under “particularly serious circumstances” are subject to imprisonment of three to seven years and a fine. “Particularly serious circumstances” include but are not limited to those:

  • causing death or serious injury; or

  • causing significant economic loss or adverse social effects.


Part 1 - Three Weeks On: What We Know about Enforcement of China’s Cybersecurity Law

Part 2 - Three Weeks On: What We Know about Enforcement of China’s Cybersecurity Law

© 2019 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Yan Lou, Regulatory and public policy lawyer, Covington
Of Counsel

Yan Luo advises clients in a broad array of regulatory matters in connection with international trade, cybersecurity and antitrust/competition laws in the U.S., EU and China.

With previous work experience in Washington, DC and Brussels before relocating to Beijing, Ms. Luo has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

86.10.5910.0516
Theodore J. Karch, Covington, intellectual property attorney
Associate

Ted Karch advises clients in a range of industries on the legal and reputational risks inherent in today’s data-driven world. His practice involves advising on US federal and state data privacy and cybersecurity laws as well as international privacy rules, including the EU General Data Protection Regulation (GDPR) and China’s Cybersecurity Law.

Mr. Karch helps clients navigate issues that arise in developing and launching innovative products. He has advised clients on practical solutions for approaching issues implicated by laws involving biometric data, online behavioral advertising, geolocation information, genetic privacy, children’s privacy, student privacy, and unfair and deceptive practices. This advice often spans multiple jurisdictions, including the US, the EU, and China, among others.

In addition, Mr. Karch advises clients in managing their intellectual property portfolio, especially copyright and trademark assets.

415-591-7094