The PRC Supreme People’s Court (SPC) and Supreme People’s Procuratorate have recently issued the Interpretation of Various Issues Concerning Application of Law in Handling Crimes of Infringing upon Citizen’s Personal Information. The interpretation clarifies several important issues in bringing criminal cases for infringing personal privacy and broadens the definition of personal information.
Companies now face greater exposure of privacy infringement and risk of criminal liability. The interpretation confirms that the infringement of personal information is a unit offence, which means that companies, together with in-charge and responsible employees, will be prosecuted under the offence.
The interpretation also attributes criminal responsibilities to companies if they fail to meet certain administrative requirements of privacy protection. For example, a company will be held liable for repeated violations of illegally obtaining, selling or providing personal information (not considering the quantity of personal information in the following first key feature), if the company has been subject to administrative penalties within two years, or has been subject to criminal penalties for infringement of personal information.
It is also a criminal offence if a network service provider leaks personal information that causes serious consequences. This can take place if the provider refuses to fulfil its management obligation of information network security, as required under PRC laws and regulations, and refuses to follow the rectification order from the relevant authority.
Quantifying the thresholds of indictable privacy infringement. Illegal sale, provision, purchase, or acquisition of personal information is an indictable offence if the offence is deemed “severe or extremely severe”. However, it was not clear to what extent an offence will meet the requirement of severity before the release of the interpretation. The interpretation provides detailed scenarios that will be deemed severe and extremely severe, including the quantified thresholds as follows:
- No less than 50 pieces of personal information in terms of an individual’s whereabouts, content of telecommunication, credit information or property information;
- No less than 500 pieces of personal information in terms of an individual’s lodging, telecommunication record, health status or transaction information that may impact the individual’s personal or property security;
- No less than 5,000 pieces of personal information other than the above two scenarios; or
- No less than RMB5,000 (US$750) of illegal gain.
If the personal information is sold or provided by a party who obtained such personal information while fulfilling obligations or providing services, the above thresholds will be reduced by half. In addition, if a party repeatedly provides personal information about the same individual(s) to different parties, the quantity of personal information will be aggregated when assessing if the threshold has been met.
Expanding the definition of personal information. According to the interpretation, personal information means any information, individually or combined with other information, that can identify a specific individual. Therefore, a single piece of information (e.g., a name or mobile phone number) will fall within the definition if it identifies a specific individual. In the past, the authors have observed from prior cases that it would take at least three pieces of information of a specific individual to be deemed sufficient to identify that individual. In addition, for the first time, the definition of personal information covers information reflecting a specific individual’s activities.
Prohibiting publication of personal information. Article 3 of the interpretation prohibits the publication of personal information through the internet or other channels without consent, even if the information is legally obtained. This is to address the increasing trend of “cyber manhunt”, an informal term commonly used in China for large-scale internet search efforts to obtain personal information relating to individuals, which has caused significant material and moral damage, such as distress and reputational damage, to information owners. If companies are required to publicize employee or consumer information in certain situations, consent from the information owner must be secured prior to the publication.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Danian Zhang (Shanghai) at: firstname.lastname@example.org