Over the last few years, China has adopted a series of laws, rules, and regulations to regulate the collection, use, and other processing of personal information. Namely, the Personal Information Protection Law (‘PIPL') effective from 1 November 2021 governs personal information usage and disclosure in China.

Most recently, the Supreme People's Court issued Guiding Cases No. 35 (No. 35) on 28 December 2022 to provide clarity for criminal prosecutions. No. 35 defines criminal violations related to personal information through four criminal cases. And established the specific scope of personal information protected under criminal law including:    

  • Facial recognition,
  • Resident's identification,
  • Social media account number,
  • Mobile verification number.

Criminal Liabilities 

Illegally obtaining such personal information is deemed as a serious infringement and violators face a fixed-term imprisonment of not more than three years or criminal detention and concurrently or separately sentenced to a fine. If the circumstances are especially serious, the person shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and concurrently sentenced to a fine (Article 253A, Criminal Law).

For companies handling personal data, it is important to establish control mechanisms and an employee code of conduct to reduce risks and identify and address misconduct quickly.

Case One: Facial Recognition

Facial recognition refers to facial recognition technology and facial information generated-based technology that can detect the identity of a specific natural person or in combination with other information or reflects the activities of a specific natural person. And defined as citizen's personal information under the Criminal Law

In the case, the defendant created hacking software, disguised as a face detection APP, to illegally obtain photos from users who downloaded the face detection APP. The defendant was sentenced to three years imprisonment and a 10,000 RMB fine.

Additionally, face recognition collection is regarded as bio-metrics and included in the scope of sensitive personal information.  Companies handling bio-metrics are subject to stringent obligations such as protecting such data, obtaining specific consent for disclosure and informing the individual of the necessity and the impact on their rights and interest.

Case Two: Resident's Identification

The Resident's identification includes the name of a natural person, facial recognition information, personal identification number, resident's address and other personal information. And defined as personal information that can impact the safety of the person or their assets.

In the case, the defendant, a Baidu employee breached confidential obligations and serious misconduct by selling the personal information of a resident obtained through his work tasks for personal profits. The defendant was sentenced to three years imprisonment and a 10,000 RMB fine.

Case Three: Social Media Account Number

Social media account number such as WeChat account number is deemed as personal information and linked directly to the identification of a natural person. Utilising social media accounts with falsified identification is considered an infringement of personal information and illegally utilising personal information without obtaining consent and disclosing the scope, purpose and use of citizens' personal information.

In the case, the defendant purchased unused WeChat accounts and falsified identities by using other people's personal information without consent. The illegal accounts were used for online social activities such as mass messaging, adding friends and establishing online groups. The defendant was sentenced to two years and two months imprisonment and a 50,000 RMB fine.

Case Four: Mobile Verification Number

Mobile verification number refers to numbers, letters and so forth issued by service providers for specific mobile phone numbers, alone or in combination, are unique and confidential, and can identify a specific natural person or reflect the activities of a specific natural person alone or in combination with other information. And defined as a citizen's personal information under Criminal Law.

In the case, the defendant illegally obtained mobile numbers and verification codes to register accounts on e-commerce platforms such as Taobao and Jingdong. And profited from each new registration. The defendant was sentenced to 8 months imprisonment.

For Companies

Though the above cases relate to individual violations, companies mishandling personal information defined under Criminal Law can face both serious civil and criminal penalties. Companies must demonstrate that control mechanisms are established, and incidents are recorded and addressed. Otherwise, regulators could conclude the company failed to enact measures to reduce data risks. And under serious circumstances affect national security and social order.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.