Part 3 of this three-part entry discusses a separate, but equally important, legal development in China’s data protection environment.

On May 8, 2017, the Supreme People’s Court and the Supreme People’s Procuratorate issued an interpretation of criminal law regarding infringement of citizens’ personal information (the “Interpretation”).  The Interpretation examines the provision in China’s Criminal Law, which prohibits illegal provision of personal information, as well as illegally obtaining personal information through theft or other means.

The Interpretation defines “personal information” generally as “various types of information, whether recorded by electronic or other means, that can be used separately or in combination with other information to identify a natural person.” This definition is largely consistent with the definition in the Cybersecurity Law, but it also adds an individual’s financial records and location information to the enumerated list of personal information.

Under the Criminal Law or the Interpretation, the illegal provision of personal information includes the provision of personal information to a specific person or company or to disclose such information online or via other means.  Even if the personal information is lawfully collected, if the data subject does not consent to the provision, the conduct may lead to serious criminal penalties for both the company and the responsible individual(s), if a company is involved in the crime. This clause does not apply if the data has been de-identified such that identification of a natural person is not possible.

Obtaining personal information unlawfully refers to the situations where a company or an individual obtains citizens’ personal information by purchasing, accepting, exchanging, or collecting the information during the process of performing one’s duties or providing services in violation of “relevant rules and regulations.”  Collecting personal information without consent is thus viewed as a crime.

Individuals or companies that commit the offense under “serious circumstances” are subject to imprisonment for up to three years and/or a fine. “Serious circumstances” include but are not limited to those in which:

  • the personal information (especially a person’s location information) is used for crime;
  • the defendant illegally obtains, sells, or provides personal information above a specified threshold amount;
  • the illegal income is over RMB 5,000; or
  • the defendant commits the offense within two years of a prior offense.

Individuals or companies that commit this offense under “particularly serious circumstances” are subject to imprisonment of three to seven years and a fine. “Particularly serious circumstances” include but are not limited to those:

  • causing death or serious injury; or
  • causing significant economic loss or adverse social effects.

 

Click here to return to Part 1 or Part 2 of this three-part post on the landscape surrounding China’s Cybersecurity Law.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.