A senior executive named Chen and several technicians of Shanghai company Z were investigated by the public security authority for using crawler technology to illegally acquire data from a take-out platform without authorisation between 2019 and 2020, on the grounds that it was necessary for the company’s operations.
After receiving an application for non-prosecution based on criminal compliance from company Z, the procuratorial authority launched a review for data compliance governance, and ultimately decided not to prosecute company Z, Chen and the other technicians, after finding they met the requirements of the review.
Analysis of the act
(1) Company Z’s act did not constitute the crime of infringing upon citizens’ personal data. Under the third paragraph of article 253-1 of the Criminal Law, acquiring citizens’ personal data by stealing or otherwise illegal means constitutes personal data infringement crime. Additionally, the fourth paragraph provides that such a crime can be committed by an entity.
As stated by article 1 of the Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate of Several Issues Concerning the Application of the Law in the Handling of Criminal Cases Involving the Infringement of the Personal Information of Citizens: “The ‘personal information of citizens’ specified in article 253-1 of the Criminal Law means any information recorded electronically or otherwise that can individually or in combination with other information identify a specific natural person or reflect the individual’s progress of activity, including his or her name, ID document number, contact information for communication or correspondence address, account password, property details, geographic tracking records, etc.”
Companies engaged in data operations generally pay close attention to guarding against the crime of infringing upon citizens’ personal data and masking the personal information data of citizens. But as the majority of the data trawled by company Z had been masked by the take-out platform – which was deemed not to involve identifying information by the procuratorial authority – company Z had not committed the crime of infringing upon citizens’ personal data.
(2) Company Z’s act constituted the crime of unlawfully acquiring data from a computer information system. The second paragraph of article 285 of the Criminal Law specifies: “If anyone who violates state regulations by intruding into computer information systems, which do not include systems relating to state matters, national defence construction or state-of-the-art science and technology, or takes other technical means to acquire data stored, processed or transferred by such computer information system, or unlawfully controls the information system, causing serious circumstances, shall constitute the crime of unlawfully acquiring data from a computer information system.” The fourth paragraph of the same article provides that such a crime can be committed by an entity.
Company Z used crawler technology to acquire platform data without authorisation from the victim, i.e., the take-out platform. The act constitutes “serious circumstances” as specified in the relevant judicial interpretations, for which the public security authority ultimately determined that the crime of unlawfully acquiring data from a computer information system was constituted, and referred the case to the procuratorial authority for review and prosecution.
After receipt of the procuratorial authority’s compliance review recommendations, company Z specifically engaged a team of legal advisers to formulate a data compliance rectification plan and implement it strictly.
More specifically, company Z thoroughly destroyed the relevant crawler program and source code, harmlessly disposed of the unlawfully acquired data in question, and executed a data exchange agreement with the take-out platform to lawfully acquire data.
Additionally, company Z copied and transplanted the model of its co-operation with the take-out platform to enter into data co-operation with many large internet enterprises.
The procuratorial authority conferred with a third-party supervision and evaluation mechanism management committee to select a third-party organisation from the experts’ directory – comprising personnel from the Cyberspace Administration of China, a certain well-known internet security enterprise, and a social organisation engaged in promoting the industry – to oversee company Z’s data compliance work from start to finish.
Ultimately, company Z passed the third-party supervision and evaluation, and after a public hearing between the National People’s Congress deputy, people’s supervisors, the public security authority, third-party organisation and the victim entity, the parties unanimously supported that no charges be brought against company Z and its personnel, whereupon the procuratorial authority ultimately made the same decision.
Analysis of the decision
As stated in the second paragraph of article 177 of the Criminal Procedure Law: “Where the circumstances of a crime are minor and under the Criminal Law it is not necessary to impose a criminal penalty, or grant an exemption from penalty, the People’s Procuratorate may render a decision not to prosecute.”
The authors argue that although the procuratorial authority applied the third-party mechanism, its decision not to prosecute company Z was based on relevant no-prosecution provisions of the Criminal Procedure Law.
Additionally, it should be noted that the third-party mechanism applied to an implicated enterprise cannot guarantee the ultimate no-prosecution decision by a procuratorial authority, which will assess and deal with the implicated enterprise and its personnel in different ways depending on the outcome of its compliance rectification – particularly the compliance inspection report from the third-party organisation. In practice, there have been cases where the implicated enterprise applied the third-party mechanism but was still brought before a court and convicted.
Against the backdrop of the booming digital economy, it is extremely easy for a relevant enterprise to commit a criminal offence, such as infringing citizens’ personal data or unlawfully acquiring data from a computer information system, in its day-to-day operations and business development.
If a relevant enterprise has triggered a criminal law risk, as in this case, the enterprise and its personnel should actively apply compliance rectification in the hope of achieving – to the extent specified in the law – a fortunate outcome of minimal punishment, or even a no-prosecution decision.
Zhou Kairen is a partner at Llinks Law Offices. He can be contacted at +86 21 6043 5866 or by e-mail at email@example.com
Bao Wei is an associate at Llinks Law Offices. He can be contacted at +86 21 6043 3796 or by e-mail at firstname.lastname@example.org