Introduction
On 8 May 2017, the Supreme People's Court and the Supreme People's Procuratorate (collectively, the "Authorities") jointly issued the Interpretation of Applicable Laws on Handling Criminal Cases Involving Infringement of Citizens' Personal Data (Law Interpretation No. 10 of 2017) (the "Interpretation"). The Interpretation clarifies the judicial position on key issues that arise out of criminal cases which concern the infringement of personal data, and took effect from 1 June 2017 (based on Article 13 of the Interpretation).
Summary of the Applicable Judicial Interpretations
The interpretations of the relevant provisions of the Criminal Law in China in the context of infringement of personal data, as set out by the Authorities in the Interpretation, are as follows:
Violations of Article 253 of the Criminal Law
Dual Liability for Illegal Use of Information Network and Infringement of Personal Data
Pursuant to Article 8 of the Interpretation, any person who sets up a website or other communications platform for the purpose of illegally collecting, selling or providing personal data of citizens will, where circumstances are serious, be cumulatively liable for the offences of illegal use of information network (under Article 287 of the Criminal Law) and for infringement of personal data of citizens, and will be punished accordingly.
Sanctions on Non-Compliant Network Service Providers
Article 9 of the Interpretation provides that where a network service provider fails to perform its obligations under any applicable law or regulations and refuses to take corrective measures as directed by the relevant authority, hence resulting in a serious case of leakage of its users' personal data, the network service provider will be guilty of an offence under Article 286 of the Criminal Law.
Punishment for First Time Offenders
For persons who first commit the offence of infringement of personal data, if the circumstances are not considered "particularly serious", the offender returns all the criminal proceeds and shows remorse for his or her conduct, then such offender shall not be charged or prosecuted. Even if prosecution is necessary, lenient treatment must be accorded to such offender under Article 10 of the Interpretation.
Relevant Considerations for Financial Penalty
Article 12 of the Interpretation provides that, in relation to the offence of infringing personal data of citizens, the amount of fine should be determined by taking into consideration the following factors:
- the harm caused by the offence;
- the amount of criminal proceeds;
- the prior convictions of the offender (if any); and
- the level of remorse demonstrated by the offender.
As a general rule, the amount of fine should be more than five times the amount of the criminal proceeds.
Comments
Following the tightening of data protection rules in China, companies should put in place internal controls and security measures (e.g. data encryption), if these are not already done, to comply with the applicable regulations. In addition, companies should also provide adequate training to ensure that employees are aware of how to handle personal data in a way which complies with the legal requirements. This is especially important given that based on the Interpretation, companies and supervisors may be held liable for the acts of their employees or other persons for whom they are directly responsible.
However, it may be of some comfort to know that first-time offenders will be treated with leniency as long as the infringement is not particularly serious, so there is still time for stakeholders to familiarise themselves with the relatively new legislation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
