New personal data protection rules strike a criminal tone-中伦律师事务所


New personal data protection rules strike a criminal tone 作者:方建伟 乔亦眉 2017-09-08


The Interpretation on Several Issues Concerning the Application of the Law in the Handling of Criminal Cases Involving the Infringement of the Personal Information of Citizens (Judicial Interpretation), jointly published by the Supreme People’s Court (SPC) and Supreme People's Procuratorate (SPP) on May 8, 2017, came into effect on June 1, 2017 together with the PRC Cybersecurity Law (Cybersecurity Law).


This is the first Judicial Interpretation released for personal data protection since the infringement of citizens’ personal information was incorporated as an offence in the PRC Criminal Law (Criminal Law) in 2015. The new Judicial Interpretation brings tougher regulatory challenges for obligators for personal information protection.


Expanded definition of personal data


Taking into account modern tracking systems and big data analytics, the definition of personal information has been expanded under the Judicial Interpretation to include not only personal identification information (also known as PII and includes name, date of birth, ID number, address and telephone number), but also data that can reflect citizens’ activities, including location and behavioral information. Under the expanded definition, data protection mechanisms run by enterprises would have to cover a wider scope to safeguard all information relating to individuals’ whereabouts, activities and the like.


The expanded definition is expected to be applied widely. The Cybersecurity Law is a striking instance. Shortly after the publication of the Judicial Interpretation, on May 19, 2017 the Cybersecurity Administration of China (CAC) held a seminar with international business community representatives. It then released an amended draft of the Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas, providing an expanded definition of personal information in line with that under the Judicial Interpretation.


Criminal threshold


The severity of the infringement has a significant bearing on the conviction and punishments of offenders. Specifically, only a severe infringement could lead to criminal punishment. When the offence does not reach the threshold to trigger a criminal investigation, the CAC and public security department are responsible for imposing an administrative punishment through Article 64 of the Cybersecurity Law.


What constitutes a severe infringement is determined by the following factors: (i) the amount and type of citizens’ personal information being collected, sold and provided; (ii) the amount of illegal profits earned from infringing citizens’ personal information; (iii) whether the personal information is used for criminal purposes; (v) whether the offender has a record of criminal and administrative punishments from the past two years. If a party commits to selling, collecting and providing personal data (excluding specific data regarding particular activities and property status) for the purpose of conducting lawful business activities, the standard for “severe” is looser—an infringement may be deemed a serious case once: (i) the illegal profits obtained from the infringement are over Rmb50,000; and (ii) the infringer has a record of criminal and administrative punishments from the past two years .


The offender may be sentenced up to seven years imprisonment and be fined for extremely severe circumstances of infringement including: (i) selling, collecting and providing citizens’ personal information leading to the death, severe injury, mental impairment or kidnapping of the infringed; (ii) where the amount of citizens’ personal information and the illegal profits are over 10 times the minimum amount constituting a severe infringement.


Enterprise liabilities


Both Article 253 of the Criminal Law and Article 7 of the Judicial Interpretation provide that where an entity commits a crime, the individuals directly in charge and others responsible will be punished in accordance with a natural person’s punishment. A fine will also be imposed on the company.


Under the Cybersecurity Law, if a network service or product provider collects users’ personal data, the network service provider must clearly notify the users and obtain their prior consent. Similarly, the Judicial Interpretation stipulates that information cannot be shared with other parties without users’ prior consent, notwithstanding that the personal information is lawfully collected.


The network service provider will be convicted under Article 286A of the Criminal Law if: (i) it refuses to perform its cybersecurity management obligations; (ii) it defies administrative orders and refuses to rectify; and (iii) its failure to comply results in misappropriation of user data and causes serious consequences.  


Shortly after publishing the Judicial Interpretation, the SPC and SPP jointly released several typical case precedents of personal data infringement. While all the cases involved individual defendants, the Chinese courts will deem an entity guilty if it has infringed personal information for business operations and has authorized such acts. Therefore, a complete compliance mechanism, including employee training and daily supervision over data protection, is essential for minimizing the legal risks facing corporations and their managements.


Obtaining prior consent


Citizens’ personal information must not be sold under any circumstances. An individual or entity can only collect and/or provide (either domestically or cross-border) citizens’ personal data with prior consent.


At the current stage, there are two ways to obtain a citizen’s consent to collect and/or provide his/her personal information: (i) Face-to-face, where business owners (especially banks and telecom operators) may require an individual to sign a written form; (ii) Online platforms, where the network operator may require the user to tick a box to indicate consent. Otherwise, the Judicial Interpretation does not provide any other specific requirements for the forms used to obtain permission.


On May 31, the CAC held a press conference and reiterated that personal information can be transferred cross-border with the prior consent of users. Fortunately, according to the CAC, users dialing an international call, circulating an outbound email message, or ordering any product to be delivered cross-border on a foreign website, will be treated as being willing to provide their personal information overseas. This is a new guideline upon which authorities may exercise flexibility, in order to achieve a fine balance between commercial realities and data protection. 


本文最初发表于China Law and Practice 2017年度第二季度刊,现经授权发表于中伦平台。