Technology & Commercial IP

PRC Criminal Law Tackles Data Privacy

SIPS Technology and Commercial IP

This month we take a detour from trademark issues to cover recent developments in data privacy, a subject that has been the focus of considerable attention from Chinese regulators over the past few years. On September 29 2015, China’s National People’s Congress promulgated the Ninth Amendment to the PRC Criminal Law, broadening the scope of protection afforded to citizens’ personal information, while also inserting new provisions aimed at combating online fraud, pornography and other illegal online content.

The Amendment is one in a series of recent data privacy-related pronouncements harmonizing the country’s data privacy requirements across the civil, administrative and criminal spheres. It follows the release in mid-2015 of a draft PRC Network Security Law that would create significant new obligations for businesses in China that collect, process, and use personal information.

Background

As China transitions from a manufacturing to a service economy, Chinese leaders view the internet as a critical tool to provide jobs and spur domestic consumption. In March 2015, Chinese Premier Li Keqiang announced the country’s Internet Plus strategy, under which internet technologies such as big data and cloud computing are to be integrated with manufacturing, business and government to drive economic growth. Top Chinese officials are now considering the shape of the nation’s next five-year development plan, which early reports indicate will place “innovation” at the forefront of development.

With the internet seen as a crucial driver of economic growth, Chinese officials are increasingly tasked with ensuring a proper regulatory environment to govern this new online ecosystem. Over the past few years, this has been reflected in the issuance of several laws and regulations establishing baseline protections for the personal information of Chinese citizens. And while China lacks a comprehensive national data privacy regulation, the patchwork of regulations that have emerged since 2011 now include many of the requirements commonly found in other, more developed legal systems, in particular for data relating to online and offline commerce.

Personal information protections expanded

From a data privacy perspective, the most significant aspects of the Amendment are the changes it makes to PRC Criminal Law Article 253. First added in 2011 under the Eighth Amendment to the PRC Criminal Law, the previous Article 253 prohibited government employees and employees in certain public-facing industries (such as healthcare or telecommunications) from selling or “illegally providing” citizens’ personal information obtained through their employment to third parties. But the Article’s imprecise wording gave rise to uncertainty over its scope, in particular with regard to the types of industries covered.

Under the newly amended Article 253, no individual or organization in any industry is permitted to sell or illegally provide citizens’ personal information to a third party in violation of “relevant state regulations”. Unlike the previous formulation, this prohibition now applies to all personal information, not only to personal information obtained through employment.

Where personal information is transferred in violation of the law, criminal liability may be assessed against both the provider and the recipient. In addition to the previous punishment of three years or less of criminal detention for “serious” violations, the Amendment now adds a new category of “extremely serious” cases that are subject to three to seven years’ imprisonment plus fines. No further information is provided as to what constitutes a “serious” or “extremely serious” offence, though the Amendment does add a provision stating that those parties illegally selling or providing personal information obtained in the course of performing “official duties” will receive a “heavier sentence” under these remedial provisions.

With this new language, Chinese regulators have significantly broadened the scope of Article 253 to leave no doubt that all personal information collected within China must be transferred in accordance with China’s relevant laws governing user notice and consent, collection, and scope of use.

New prohibitions for online acts

The Amendment also inserts two new provisions criminalising certain types of online conduct.

Under new Article 286(a), a “network service provider” that has failed to institute legally mandated IT-security mechanisms and refused subsequent orders by the authorities to adopt such measures may be criminally prosecuted where such oversight has resulted in:

    • transmission of a large volume of illegal information;

 

    • disclosure of user information causing serious consequences;

 

    • destruction of evidence used in a criminal case, where the circumstances are serious; or

 

    • other “serious” circumstances (undefined).

The Amendment also inserts a new Article 287(a) that provides for up to three years’ detention and a fine in instances where an individual or organization uses a data network to:

    • set up a website or mailing list to conduct fraud, transmit criminal information, or make or sell prohibited or controlled items;

 

    • publish information relating to the production or sale of controlled items, such as drugs, guns, pornography or other illegal online content; or

 

    • publishes information for committing fraud or other illegal or criminal activities.

Similar penalties are provided for in Article 287(b) for any party that assists the aforementioned acts by providing technical (such as server hosting or web storage) or other assistance.

China’s e-commerce market is now the world’s largest, and with these new provisions Chinese authorities seem determined to ensure that it develops under the healthy guidance of the state. As China acts to further its Internet Plus ambitions, companies with local operations will want to continue to monitor national regulations for compliance and exercise careful oversight and monitoring of company data collection practices and employee use.

Scott Livingston