A recent decision by a Shanghai court sheds new light onto a vague provision of the PRC Criminal Law and highlights the challenges faced by foreign companies overseeing local operations in China.
On September 28, 2012, Dun & Bradstreet’s local operating subsidiary Shanghai Roadway D&B Marketing Services Co., Ltd. (“Roadway”) was charged by the Shanghai public prosecutor with “illegally obtaining private information from Chinese citizens.” As reported by the Chinese press, the private information included the personal data of 150 million Chinese citizens, including their income, job titles, and addresses.
On January 9, 2013, the Wall Street Journal reported that the Shanghai Zhabei District Court found Roadway guilty of illegally purchasing the personal information of private citizens and fined the company RMB $1 million (US $160,648). Four employees involved in the illegal purchase were also sentenced to up to two years in jail and each fined between RMB $5,000 to RMB $10,000 (US $800 to $1600).
The Shanghai court’s decision, though not yet publicly released, appears to be based on a 2009 amendment of the PRC Criminal Law that created Article 253(a), which criminalizes the act of an entity or individual in certain industries obtaining, providing, or selling a citizen’s personal information. The law specifically focused on entities and individuals in the finance, telecommunication, transportation, education, or healthcare industries, but also included an “etc.” (等) catch-all for other industries.
The Roadway case suggests that Article 253(a) may apply not only to the listed industries but also to other industries with access to large amounts of personal data, such as a marketing company like Roadway. A similar prohibition has also been included in a recently enacted law, entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (See our post here), that forbids the illegal acquisition, provision, or sale of a citizen’s “personal electronic information” by companies in all industries. These developments further evidence China’s growing commitment to protecting its citizen’s personal information and underscore the need for foreign companies to exercise careful oversight, monitoring, and control of company data collection practices and employee actions.