In April of 2017, the Supreme People’s Court (“SPC”) and the Supreme People’s Procuratorate (“SPP”) passed and released a new judicial interpretation dealing with criminal infringement of citizens’ personal digital information (the “SPC Data Privacy Interpretation”)[1]. Approved and promulgated, the SPC Data Privacy Interpretation came into effect on June 1, 2017, and it enhances and clarifies existing criminal codes that deal with illicit possession, handling, and distribution of citizen’s digital personal information[2].
Background
Since the introduction of information technology and its gradual growth in mainland China, the total number of Chinese citizens connected to the internet (“netizens”) has grown exponentially[3]. Online social and commercial activity has incentivized netizens across the country to share more personal information with online third parties. Regulating this explosion of readily available sensitive information has proven to be a formidable challenge for the Chinese authorities. The Chinese government, recognizing the long-term repercussions of not tackling these pressing matters, in 2013, and through the SPC, released an official notice indicating its commitment to safeguarding digital information[4] (“notice”). Although the notice was informal, it paved the way for serious regulatory reform on Chinese laws dealing with citizens’ personal information.
In order to support the growing digital infrastructure in the country, in the notice the SPC laid out four guidelines for individuals, companies, and government agencies to abide by. The first was to bring public awareness to the issue, and the SPC recognized an “underground industry” dedicated to stealing and selling netizens’ personal information in China[5]. Under this awareness campaign, the SPC also urged public security authorities and other governmental agencies to have a clear understanding of the serious harms to society caused by these types of crimes. Secondly, the SPC advised on how to best apply the existing law to data-related crimes. Although it urged authorities to “learn from past successful legal precedents,” the language in the notice was vague and did not identify what the “legal precedents” were or how they were to be applied. The notice did however define personal information as anything that includes a “citizen’s name, age, valid certificate number, marital status, employer, education background, resume, family address, phone number and other information or data that can identify the identities of citizens or involve the personal privacy of citizens.”[6]
Third, the SPC provided guidance to legal and judicial agencies as to how best coordinate and cooperate with each other in enforcing and executing existing laws. Although minimal guidelines concerning jurisdiction and criminal procedure were provided, it can be inferred from the vague and ambitious language that the main objective was to merely initiate inter-governmental cooperation in matters of personal data theft. Finally, the fourth point laid out the government’s long-term commitment to this issue and pushed for a nationwide awareness campaign. The notice urged governmental agencies across China to seek temporary and long-term solutions by requiring they “make full use of newspapers, radio, television, network and other media platforms to vigorously publicize the Party and the country’s determination and efforts to combat against such crimes, publicize the relevant policies, laws and regulations, remind and educate the masses to use the law to protect and safeguard their lawful rights and interests and improve the awareness and capability of self-protection.”[7]
Because of those efforts, since 2013 the number of Chinese netizens that are aware of the risks and dangers of having their personal information in the hands of third parties has only increased, and recurring incidents of data theft have only fueled their concerns. Recent cases covered by the media involving the misuse of netizens’ personal information have made the issue of protecting data privacy a hot topic in China, and has forced the government to ramp up its efforts to control the situation[8].
Article 253(a) of the Criminal Law of the People’s Republic of China
The first real attempt at modernizing the Criminal Law of the People’s Republic of China (“criminal law”) to incorporate data theft was in 2009[9]. Under Amendment VII to the criminal law, Article 253(a) was updated to include that the misuse of “personal information” was now a crime, and that crimes for “selling or illegally providing…citizens’ personal information obtained during the course of performing duties or providing services” was a violation of State regulations[10]. However, as with many laws of this time the amendment was vague and open to interpretation. For example, Amendment VII did not specify which State regulations it was refereeing to nor did it provided clarity as to what constituted a serious circumstance[11].
Thus, on August 29, 2015, the SPC & SPP again amended article 253(a) of the criminal law. Amendment IX to the criminal law rephrased 253(a) to be read as follows:
Whoever, in violation of relevant provisions of the State, sells or provides the personal information of more than three years of criminal detention and concurrently or separately sentenced to a fine; under especially serious circumstances, he shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and concurrently sentenced to a fine.
Whoever, in violation of relevant provisions of the State, sells or provides to others the citizens’ personal information obtained during the course of performing duties or providing services shall be given a heavier punishment in accordance with the preceding paragraph.
Whoever illegally obtains the citizens’ personal information by theft or through other means shall be punished in accordance with the provisions of Paragraph 1.
Where an entity commits any of the crimes mentioned in the preceding three paragraphs, a fine shall be imposed on the entity, and the persons who are directly in charge of the entity and such other persons who are directly responsible for the crime shall be punished respectively in accordance with the provisions of the preceding three paragraphs.[12]
This new amendment built on and improved Amendment VII’s language by adding much needed clarification. Specifically, those “directly responsible” in organizations and entities that mismanage citizens’ personal information could now be criminally prosecuted, and it also criminalized parties that had legally obtained personal information but nevertheless mismanaged or misused it. Also, an additional provision was added to hold accountable those individuals who illegally sold and obtained citizens’ personal information “during the course of performing duties or providing services.” This addition to the law now held companies who directly handled citizens’ information directly responsible for any mishandling of personal information in their possession. However, as with previous initiatives, there was still vagueness and broadness in the language (or lack thereof) of the law. There was still no understanding as to what was meant by “serious circumstances,” nor what were the “relevant state provisions” it referred to. Under this precedent, the impact of the SPC Data Privacy Interpretation is significant and provides the legal basis for stricter regulation on private citizens’ data management.
The SPC Data Privacy Interpretation
The evolution of data privacy laws in China culminates with the most recent SPC Data Privacy Interpretation, released by the SPC & SPP, which recently took effect on June 1st, 2017. The SPC Data Privacy Interpretation, which has legal force in China, is meant to build on the previous informal notice and narrow the scope of the already existing relevant criminal laws. The SPC Data Privacy Interpretation provides legal definitions for previously undefined terms in the criminal law, procedures for governmental and law enforcement agencies to implement when prosecuting individual and/or entities, circumstantial evidence for the courts to consider when sentencing, and criteria for reducing sentencing for first time offenders.[13]
Article I of the SPC Data Privacy Interpretation defines “personal information,” as provided in Article 253(a) of the criminal law, to refer to “all kinds of information, recorded electronically or otherwise, that, either alone or together with other information, can identify certain natural persons’ identities or reflect certain natural persons’ activities, including full names, identification numbers, communications and contact information, addresses, account passwords, assets status, whereabouts, and so forth.”[14] Any individual or entity that violates what the SPC Data Privacy Interpretation defines as personal information would thus be found to have “violated relevant state provisions,” providing much needed clarification with regard to the language in Article 253(a) of the criminal law.[15]
Article III & IV specify that to “[provide] citizens’ personal information,” as stated in Article 253(a), is to be applied to those who either illegally provided citizens’ personal information to specific individuals, or to those who illegally obtained citizens’ personal information through networks or “other routes.” For those individuals or entities who legally acquired, provided, and/or manage the personal information of citizens, and did so without the consent of the person whose information is being gathered, will also fall under “providing citizens personal information,” unless the information is “processed so that there is no way to identify specific individuals and it cannot be restored.”[16]
Articles V & VI of the SPC Data Privacy Interpretation list thirteen scenarios that serve as guidelines for courts to determine whether situations shall be found to be “serious circumstances” as provided in Article 253(a)[17]. Serious circumstances can be scenarios such as selling or providing personal information during the commission of a crime, or assisting in the commission of a crime, or the party knows or ought to know the data will be used in the future commission of a crime. Even if there is no criminal activity in the present or near future, the act will still be deemed as “serious circumstances” if the acquisition, sell, or transaction of personal information involves[18]:
- 50 or more items of tracking information, communications content, credit rating information, or information on assets;
- 500 or more items of housing information, communications records, physical health information, transaction information, and/or other such citizens’ personal information that might impact the security of citizens’ person or property;
- 5,000 or more items of citizens’ personal information other than those provided in (1) & (2)[19];
- unlawful gains of 5,000 RMB or more, or using illegally purchased or accepted citizens’ personal information to earn 50,000 RMB or more;
- selling or providing others with citizens’ personal data that was obtained in the course of performing professional duties, and reaching half or more of the volume or quantity standard provided in items (3) – (7); [20] and
- having previously received a criminal punishment for violating citizens’ personal information or having received an administrative punishment within the last 2 years
Article XIII of the SPC Data Privacy Interpretation determines the nature of the act of infringing on citizens’ personal information by setting up a website or a communication group. If a website or a communication group was set up to illegally obtain, sell or provide citizens’ personal information and the circumstances are serious, the person should be convicted of the crime of illegally use of the information network[21]. If citizens’ personal information was infringed at the same time, the person will be convicted of the crime of infringement of citizens’ personal information. [22]
Article IX of the SPC Data Privacy Interpretation deals with the duties and responsibilities of companies who legally hold, obtain, and distribute citizens’ information[23]. Said companies are required to “perform information network security management obligations provided by [law enforcement] and administrative regulations….” Additionally, if said companies “refuse to make corrections after being ordered to take corrective measures by the oversight and regulatory departments, leading to [leaks] of user citizens’ personal information and causing serious consequence,” the companies and responsible individuals will be held criminally accountable.[24]
Article X & XII focus on sentencing guidelines for minor offenses and what fines, if any, to impose on parties found to have criminally mismanaged citizens’ personal information. In order for a violation of citizens’ personal information to be considered minor in severity, the following must be met: the crime is not under the umbrella of “especially serious circumstances,” the offender is a first time offender, restitution was made in full, and the offender truly expresses remorse about the crime.[25] Finally, the amount of fines to be imposed is based “on comprehensive consideration of the degree of harm, the amount of unlawful gains[26], and the defendants’ criminal record and attitude of repentance and remorse….”[27]
Impact
The SPC Data Privacy Interpretation will have a significant impact on public and private entities that legally obtain, handle, and/or sell citizens’ personal information. These entities must be thorough in complying with state regulators and stay up to date with security management obligations, or run the risk of hefty fines. Additionally, upper management and individuals in direct supervision of citizens’ personal information now run the risk of criminal prosecution if the information under their control is misused or negligently handled. Finally, courts and law enforcement agencies now have the needed material and resources to prosecute and sentence individuals and entities that illegally obtain, handle, and/or sell citizens’ personal information.
*Nicolas Ospina and Lu Jin are summer associates at Sheppard Mullin.
[1] See The Supreme People’s Court and Supreme Peoples’ Procuratorate Interpretation on Several Issues Regarding the Applicable Law in Criminal Cases of Citizen’s Personal Information, Supreme People’s Court of the PRC, May 18, 2017, http://www.court.gov.cn/fabu-xiangqing-43942.html. See also http://news.jcrb.com/jszx/201705/t20170509_1750990.html. Translations of the interpretation provided by http://www.chinalawtranslate.com/, SPC and SPP Interpretation on Handling Criminal Cases of Violations of Citizens’ Private Information.
[2] Id.
[3] Marco Huang, More Than Half of China’s Population is Online – And Most Use Smartphones, The Wall Street Journal (Jan. 26, 2016, 5:20 am HKT), https://blogs.wsj.com/chinarealtime/2016/01/26/more-than-half-of-chinas-population-is-online-and-most-use-smartphones/. (“As of the end of 2015, the number of Chinese people online had reached 688 million, accounting for 50.3% of China’s population…”).
[4] See Notice of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens, April 23, 2013. Translation by Peking University at http://en/pkulaw.cn
[5] Id.
[6] Id.
[7] Id.
[8] One such case making national headlines and causing public outrage was that of Xu Yuyu, a Nanjing University of Posts and Telecommunications (“NUPT”) student that fell victim to telephone fraud. In 2016 Xu, after having been admitted to NUPT, received a phone call from a third party claiming to be a NUPT admission staff member. The party, after providing Xu with detailed personal information about herself and her studies, informed her that she had to deposit ¥9,000 RMB (~$1,324 USD) to an account in order to receive her full scholarship. Only after Xu sent the money did she realize it was a scam, and that the third party had obtained all her private information from another party that had previously broken into NUPT’s database and retrieved numerous personal information from various student profiles. Xu, who came from a modest rural upbringing and whose family was not wealthy, eventually died of a sudden cardiac arrest caused by “excessive grief.”
[9] Amendment (VII) to the Criminal Law of the People’s Republic of China, effective on February 28, 2009.
[10] Id.
[11] Id.
[12] Amendment (IX) to the Criminal Law of the People’s Republic of China, effective on August 29, 2015.
[13] See The Supreme People’s Court and Supreme Peoples’ Procuratorate Interpretation on Several Issues Regarding the Applicable Law in Criminal Cases of Citizen’s Personal Information, Supreme People’s Court of the PRC, May 18, 2017, http://www.court.gov.cn/fabu-xiangqing-43942.html. See also http://news.jcrb.com/jszx/201705/t20170509_1750990.html.
[14] Id.
[15] Article II of the Interpretation.
[16] Articles III & IV of the Interpretation
[17] Articles IV & V of the Interpretation
[18] These items are also applicable to managers and other directly responsible personnel when an entity is involved.
[19] If the amounts do not reach the standards provided in (1)-(3), but taken together according to the relevant rations, the relevant quantity standards are met.
[20] See also Article 11. (For items (1) – (5), “[w]here after unlawfully acquiring citizens’ personal information, [the information] is also sold or provided, the number of items of citizens’ personal information is not double counted.”)
[21] Article XIII of the Interpretation.
[22] Id.
[23] Article IX of the Interpretation.
[24] Id.
[25] Article X of the Interpretation. (“Where judgement and punishment is truly necessary [for minor cases], it shall be lenient.” What cases are those that truly necessitate judgement and punishment are not clear).
[26] Id. (“Fines are usually between 1 and 5 times the unlawful gains.”)
[27] Article XII of the Interpretation.