China issues first judicial interpretation on personal data protection, toughens stance on violators

10 May 2017.

In the first ever judicial interpretation in China on the issue of protection of personal data, the country's highest court and top prosecuting authority jointly laid out strict measures to crack down on the rampant theft of personal information in the country. They include prison sentences of up to seven years for those who illegally sell personal data in cases that are defined as "extremely severe."

China's Supreme People's Court, or SPC, and the Supreme People's Procuratorate, or SPP, yesterday jointly published the measures, entitled, "The Interpretation of Issues Concerning the Application of Law in the Handling of Criminal Cases of Infringement of Citizens' Personal Information."

Xu Jianzhuo, the director of the Network Research and Development Center under the Ministry of Public Security, said at a news briefing in Beijing that the infringement of personal information, such as through telecom fraud, had become rampant in China in recent years and the situation is viewed as severe.

The judicial interpretation covers 13 items, and specifies the penalties for theft of personal data. In particular, it stipulates how the country's Criminal Law should be applied in these cases.

For instance, it defines "personal information" under Article 253 of the Criminal Law to include names, identity numbers, personal contacts, addresses, account passwords, information on property and personal whereabouts.

The interpretation stipulates that any leak, sale or collecting of personal information without consent is subject to Article 253 of the Criminal Law.

It also defines "severe circumstances" to include illegally obtaining, selling or providing 500 items of data about people's location, the contents of their communications, their credit information and their property information; 5,000 items of communications records, accommodation data, health data or transaction information. It also includes selling 50,000 items or more of personal information, or making more than 5,000 yuan ($725) from the sale of such stolen personal data.

According to the Criminal Law, those who are convicted of selling or providing personal information to others could face a maximum sentence of three years if "the circumstances are severe."

In addition, crimes involving personal data theft that lead to death, severe injury, mental impairment or kidnapping are defined as "extremely severe" offences, and violators could face up to seven years in prison.

According to the interpretation, Internet service providers that fail to follow instructions from regulator's to rectify their practices and are involved in widespread leaks of personal information causing a severe impact on individuals would also be subject to Article 286 of the Criminal Law. Such violations would be subject to penaties and prison terms of up to three years.

The SPC also detailed some cases as examples of the theft of personal data. In 2015, for example, a court in Zhejiang Province sentenced Ding Yaguang to three years in jail for selling over 200,000 pieces information on hotel stays that he downloaded from a website due to a data breach of a company that provides booking services for many Chinese hotels.

In 2016, the police investigated over 2,100 privacy cases and arrested 5,000 suspects for engaging in personal information infringement, including online data theft and telecom fraud. Over 50 billion pieces of personal information were sold, according to the SPC and SPP.

Between February 2009 and October 2015, courts nationwide handled a total of 969 criminal cases related to personal data theft.

Privacy report

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.