Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment.

On May 8, 2017, the Supreme People’s Court and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”).  The Interpretation examines the provision in China’s Criminal Law, which prohibits illegal provision of personal information, as well as illegally obtaining personal information through theft or other means.

The Interpretation defines “personal information” generally as “various types of information, whether recorded by electronic or other means, that can be used separately or in combination with other information to identify a natural person.” This definition is largely consistent with the definition in the Cybersecurity Law, but it also adds an individual’s financial records and location information to the enumerated list of personal information.

Under the Criminal Law or the Interpretation, the illegal provision of personal information includes the provision of personal information to a specific person or company or to disclose such information online or via other means.  Even if the personal information is lawfully collected, if the data subject does not consent to the provision, the conduct may lead to serious criminal penalties for both the company and the responsible individual(s), if a company is involved in the crime. This clause does not apply if the data has been de-identified such that identification of a natural person is not possible.

Obtaining personal information unlawfully refers to the situations where a company or an individual obtains citizens’ personal information by purchasing, accepting, exchanging, or collecting the information during the process of performing one’s duties or providing services in violation of “relevant rules and regulations.”  Collecting personal information without consent is thus viewed as a crime.

Individuals or companies that commit the offense under “serious circumstances” are subject to imprisonment for up to three years and/or a fine. “Serious circumstances” include but are not limited to those in which:

  • the personal information (especially a person’s location information) is used for crime;
  • the defendant illegally obtains, sells, or provides personal information above a specified threshold amount;
  • the illegal income is over RMB 5,000; or
  • the defendant commits the offense within two years of a prior offense.

Individuals or companies that commit this offense under “particularly serious circumstances” are subject to imprisonment of three to seven years and a fine. “Particularly serious circumstances” include but are not limited to those:

  • causing death or serious injury; or
  • causing significant economic loss or adverse social effects.

 

Click here to return to Part 1 or Part 2 of this three-part post on the landscape surrounding China’s Cybersecurity Law.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.