On 8 May 2017, the PRC Supreme People’s Court and the Supreme People’s Procuratorate jointly issued the Interpretation of Various Issues Concerning Application of Law in Handling Crimes of Infringing upon Citizen’s Personal Data, which provides more detailed guidelines for handling criminal cases involving infringement of personal data.
Unlike many other countries, China does not have a comprehensive personal data protection law. There have been some regulations issued by various governmental bodies to address data protection issues, which have not been well enforced due to the lack of significant punishment for offences. The Criminal Law, amended in 2015, provided a general definition for the “crime of infringing upon citizen’s personal data”, but left some issues for the personal data crime interpretation to clarify.
Under the judicial interpretation, an individual’s name, ID card number, telecommunication contact details, address, account password, wealth status, geographic tracking records and other information that can identify the individual, or reflect the individual’s progress of activity, are defined as “personal data”.
The interpretation prohibits the illegal obtainment, sale or provision of personal data. The severity of an offence will be determined by reference to the quantity of personal data that has been illegally obtained, sold or provided. For example, it will be a “crime of infringing personal data” if the offender illegally obtains, sells or provides:
- No less than 50 pieces of personal data relating to an individual’s whereabouts, content of telecommunication, credit information or property information; or
- No less than 500 pieces of personal data relating to an individual’s lodging, telecommunication record, health status or transaction information that may impact the individual’s personal or property security; or
- No less than 5,000 other pieces of personal data relating to matters other than the above two categories.
An offender can be sentenced to imprisonment for up to three years, along with a criminal fine. If a company commits a “personal data infringement crime”, the person in charge (for example, the general manager) can be punished according to the above standards for individual offenders, and the company can face a criminal fine.
Along with the interpretation, the Supreme People’s Court has published a summary of several typical criminal cases involving “personal data infringement” handled by the courts in recent years, in order to provide more general guidance. In one of these cases, the internal IT system of a popular hotel in China was hacked, and more than 20 million pieces of its guests’ personal data were disclosed online. The offender in the case downloaded this disclosed personal data from the internet, uploaded it to his website and provided it to subscribers for a charge. It was found to be a serious offence, and the offender was sentenced to prison for three years.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at: email@example.com