Data protection laws enhanced in China
Recent guidance highlights the increased risk of international financial institutions incurring criminal liability for data breaches in China. Such risk occurs, for example, in cross-border regulatory investigations when transactional data may have to be moved cross-border to facilitate review both internally or by foreign regulators.
On 9 May, the China Supreme People’s Court (SPC) and Supreme People’s Procuratorate (SPP) jointly released the ‘Interpretations on Legal Application Issues Concerning the Adjudication of Criminal Cases Involving Infringement of Citizens’ Personal Information’ (the Interpretations), effective from 1 June 2017. The interpretations reflect a legislative trend of enhancing personal data protection in China.
China does not have a unified personal information protection law. Relevant provisions are scattered among various laws and regulations. In 2015, Amendment IX to the China Criminal Law combined two previous offences into one – the crime of infringing citizens’ personal information. However, the criteria for this offence were too general and gave rise to uncertainty and disagreements about interpretation. The Interpretations were formulated to introduce more certainty.
What is a citizen’s personal information?
The Interpretations define “citizen’s personal information” as all forms of information, recorded electronically or otherwise, that, either alone or in combination with other information, can be used to identify a specific natural person’s identity or reflect a specific natural person’s activity, including the citizen’s name, ID number, communications and contact information, address, account password, asset status and whereabouts. This definition is aligned with that of “personal information” defined in the PRC new Cyber Security Law.
Meaning of illegally ‘providing or obtaining’ personal information
The Interpretations define what constitutes illegally providing or illegally obtaining citizens’ personal information. Providing personal information to third parties, without obtaining consent from the data subject, even if such information has been lawfully acquired, is deemed as illegally providing personal information, unless the information has been processed and cannot be reconstructed to identify a particular individual.
Obtaining personal data (eg by purchasing, accepting, exchanging, or collecting) in the course of performing duties or providing services, in contravention of the relevant laws and regulations, is deemed as illegally obtaining citizens’ personal information.
Criteria for Conviction and Sentencing
Illegally providing or obtaining citizens’ personal information will only constitute a crime if the circumstances are serious. There are guidelines on what is considered to be serious. For financial institutions, “serious” would include obtaining or providing 50 or more items of information on a person’s credit or assets, or where the bank is a repeat offender.
The penalty for breaching the new law depends on such factors as whether the breach has caused excessive financial losses, resulted in large illegal gains, or caused serious harm to individuals. An entity guilty of an offence is subject to a fine, and the individuals who are directly in charge of the entity and other persons who are directly responsible for the crime may also be punished (fine or imprisonment).
This case summary is part of the Allen & Overy Legal & Regulatory Risk Note, a quarterly publication. For more information please contact Karen Birch – firstname.lastname@example.org, or tel +44 20 3088 3710.