Serious infringement of personal information in China can result in criminal penalties.

China has adopted a series of laws, rules, and regulations to regulate the collection, use, and other processing of personal information. Namely, the Personal Information Protection Law ('PIPL') effective from 1 November 2021 governs personal information usage and disclosure in China.

Recently, the Supreme People's Court issued Guiding Cases No. 35 (No. 35) on 28 December 2022 to provide clarity for criminal prosecutions. No. 35 defines criminal violations related to personal information through four criminal cases. And established the specific scope of personal information protected under criminal law including:

  • Facial recognition,
  • Resident's identification,
  • Social media account number,
  • Mobile verification number.

Criminal Liabilities

Illegally obtaining such personal information is deemed as a serious infringement and violators face a fixed-term imprisonment of not more than three years or criminal detention and concurrently or separately sentenced to a fine.

Also, where the circumstance is deemed especially serious, the person shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years. And concurrently sentenced to a fine (Article 253A, Criminal Law).

Therefore, it is important to establish control mechanisms and an employee code of conduct to reduce risks and identify. And address misconduct quickly to avoid negative public relations.

Case One: Facial Recognition

Facial recognition refers to facial recognition technology and facial information generated-based technology including:

  • can detect the identity of a specific natural person or;
  • in combination with other information reflects the activities of a specific natural person.

And defined as citizen's personal information under the Criminal Law.

In the case, the defendant created hacking software, disguised as a face detection APP, to illegally obtain photos from users who downloaded the face detection APP. The defendant was sentenced to three years imprisonment and a 10,000 RMB fine.

Additionally, face recognition collection is regarded as bio-metrics and included in the scope of sensitive personal information. Companies handling bio-metrics are subject to stringent obligations such as protecting such data, obtaining specific consent for disclosure. Also companies shall inform the individual of the necessity and the impact on their rights and interest.

Case Two: Resident's Identification

The Resident's identification includes the name of a natural person, facial recognition information, personal identification number, resident's address and other personal information. And defined as personal information that can impact the safety of the person or their assets.

In the case, the defendant, a Baidu employee breached confidential obligations and serious misconduct by selling the personal information of a resident. Therefore, the defendant was sentenced to three years imprisonment and fined 10,000 RMB.

Case Three: Social Media Account Number

Social media account number such as WeChat account number is deemed as personal information and linked directly to the identification of a natural person. Utilising social media accounts with falsified identification is considered an infringement of personal information. Also, the act is deemed illegally utilising personal information without obtaining consent and disclosing the scope, purpose and use of citizens' personal information.

In the case, the defendant purchased unused WeChat accounts and falsified identities by using other people's personal information. Therefore, the illegal accounts were used for online social activities such as mass messaging, adding friends and establishing online groups. The defendant was sentenced to two years and two months imprisonment and fined 50,000 RMB.

Case Four: Mobile Verification Number

Mobile verification number refers to numbers, letters and so forth issued by service providers for specific mobile phone numbers, alone or in combination, are unique and confidential, and can identify a specific natural person or reflect the activities of a specific natural person alone or in combination with other information. And defined as a citizen's personal information under Criminal Law.

In the case, the defendant illegally obtained mobile numbers and verification codes to register accounts on e-commerce platforms. And profited from each new registration. The defendant was sentenced to 8 months imprisonment.

For Companies

Though the above cases relate to individual violations, companies mishandling personal information defined under Criminal Law can face both serious civil and criminal penalties. Companies must demonstrate that control mechanisms are established. Also, any incidents shall be recorded and addressed. Otherwise, company may be deemed to have not reduced data risks. Therefore, under serious circumstances could affect national security and social order.

For more information on cyber and data, read our previous insights below:

Q&A of the Cyber, Data, and Personal Information Security

Using and Disclosing Personal Information

The Dos and Don'ts of Processing Employee Data under Personal Information Protection Law

Originally Published by 22 February 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.