On 9 May 2017, the Supreme People's Court and the Supreme People's Procuratorate of China issued rules that offer a clarification of the scope of criminal sanctions for breaches involving personal information in the form of Interpretations on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Information ("Interpretations"). The Interpretations shed light on the scope of the offence of "infringement of citizens' personal information" provided by Article 253 of the PRC Criminal Law. The Interpretations will come into force on 1 June 2017, the same date as the effective date of the PRC Cybersecurity Law (CSL) which was released on 7 November last year.

Specifically, Article 253 of the PRC Criminal Law (amended in 2015) imposes criminal sanctions on anyone who, in violation of relevant State rules, sells or discloses the personal information of third parties. The sanctions imposed by the statute vary depending on the seriousness of the circumstances of the violation. "Serious" circumstances attract prison sentences of no more than three years and/or a fine. "Extremely serious" circumstances see the penalties increased to three to seven years imprisonment, plus a fine. The sale or disclosure of personal information obtained in the course of conducting professional duties or providing services (such as postal services) attracts penalties at the harsher end of the spectrum.

The Interpretations provide much needed definitions to several key terms of Article 253. For example, "personal information" is defined to cover two types of information recorded through electronic or other means namely: i) any information that can be used alone or in combination with other information, to identify a natural person; and ii) any information reflecting the special characteristics of the activities of a natural person. The definition appears broader than the one provided by the CSL which was limited to the first category.

The Interpretations also clarify that "disclosure of personal information" punishable by Article 256 refers to acts of providing personal information to others without the consent of the data subjects. This term further covers acquisition of personal information through illegitimate means or during the course of performing duties and providing services. However, personal information that has been de-identified and cannot be traced back to an individual is excluded.

The criteria for the imposition of penalties is clarified in the Interpretations. For example, criminal detention or a fixed-term imprisonment of not more than three years, concurrently or separately with a fine, shall be imposed if one of the following "serious" circumstances applies:

  • sale or provision of data pertaining to geographic location which is used by others to commit a crime;
  • sale or provision of the personal information with actual or imputed knowledge that others would use the personal information to commit a crime;
  • illegal procurement, sale or provision of more than 50 pieces of information concerning geographic location, content of correspondence, credit history, and financial assets of an individual;
  • illegal procurement, sale or provision of more than 500 pieces of information concerning records of accommodation or correspondence, health, transaction, or other personal data that may affect the safety or any property/assets of an individual;
  • illegal procurement, sale, or provision of more than 5,000 pieces of personal information concerning other information of an individual other than above;
  • the amount of information does not meet any of the requirements above, but the cumulative quantity of data alone meets the threshold imposed by the statute;
  • the illegal income derived from the provision of data exceeds RMB 5,000 (about US$722);
  • sale or provision of personal information acquired in the course of conducting business or providing services, and the data involved exceeds half of the quota specified above;
  • the person committing the offence has been sentenced based on criminal or administrative charges for infringing provisions relating to personal information in the past two years;
  • any other circumstances.

Anyone who illegally purchases or obtains personal information in the course of their business shall be deemed to be violating Article 253 as well provided that the amount of illegal income exceeds RMB 50,000 (about US$7,221) or the person has been convicted of similar violations in the past two years.

The violations would be deemed "extremely serious" if the above acts lead to serious consequences such as death or significant economic losses, or when the amount of personal information involved exceeds more than 10 times the amount of any of the thresholds provided for "serious" circumstances. Extremely serious crimes shall attract sentences of a fixed-term imprisonment of three to seven years plus a fine.

Finally, Article 9 of the Interpretations imposes new obligations on network service providers. Any network service provider who fails to manage the security of information networks as provided by law and relevant administrative regulations and refuses to make corrections as ordered by regulatory authorities causing serious breaches of personal information shall be sentenced to criminal detention or fixed-term imprisonment of no more than three years, concurrently or separately sentenced to a fine pursuant to Article 286 of the PRC Criminal Law. Note that the CSL regulates network operators which are defined to include network service providers and, in addition, owners or administrators of networks.

The CSL has numerous enforcement provisions targeting operators of critical information infrastructures and network operators for violations of CSL specific obligations and duties such as the controversial data localisation governing "personal information" and "important data". The Interpretations serve as a strong companion to the CSL and address enforcement measures targeted specifically at breaches of obligations in relation to personal information, with arguably a clearer focus on the protection of citizens' privacy rights.

Visit us at www.mayerbrown.com

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.