Final Part 3 - Three Weeks On: What We Know about The Enforcement of China’s Cybersecurity Law
Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment.
On May 8, 2017, the Supreme People’s Court of China and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”). The Interpretation examines the provision in China’s Criminal Law, which prohibits illegal provision of personal information, as well as illegally obtaining personal information through theft or other means.
The Interpretation defines “personal information” generally as “various types of information, whether recorded by electronic or other means, that can be used separately or in combination with other information to identify a natural person.” This definition is largely consistent with the definition in the Cybersecurity Law, but it also adds an individual’s financial records and location information to the enumerated list of personal information.
Under the Criminal Law or the Interpretation, the illegal provision of personal information includes the provision of personal information to a specific person or company or to disclose such information online or via other means. Even if the personal information is lawfully collected, if the data subject does not consent to the provision, the conduct may lead to serious criminal penalties for both the company and the responsible individual(s), if a company is involved in the crime. This clause does not apply if the data has been de-identified such that identification of a natural person is not possible.
Obtaining personal information unlawfully refers to the situations where a company or an individual obtains citizens’ personal information by purchasing, accepting, exchanging, or collecting the information during the process of performing one’s duties or providing services in violation of “relevant rules and regulations.” Collecting personal information without consent is thus viewed as a crime.
Individuals or companies that commit the offense under “serious circumstances” are subject to imprisonment for up to three years and/or a fine. “Serious circumstances” include but are not limited to those in which:
the personal information (especially a person’s location information) is used for crime;
the defendant illegally obtains, sells, or provides personal information above a specified threshold amount;
the illegal income is over RMB 5,000; or
the defendant commits the offense within two years of a prior offense.
Individuals or companies that commit this offense under “particularly serious circumstances” are subject to imprisonment of three to seven years and a fine. “Particularly serious circumstances” include but are not limited to those:
causing death or serious injury; or
causing significant economic loss or adverse social effects.