Data abuse prosecutions are a distant threat for companies in China, but risks remain

22 April 2019 7:28pm

8 March 2019. By Xu Yuan.

Companies operating in China have so far largely avoided criminal liability for data-related security breaches, despite a deepening police crackdown on such lapses, but the risks associated with data crimes cannot be entirely overlooked, as companies are expected to boost compliance in face of enhanced regulation.

As one of the key regulators tasked with enforcing the Cybersecurity Law, the Ministry of Public Security, which oversees the police, is in charge of handling criminal cases related to data abuse, known as infringements of citizen’s personal information under China’s Criminal Law.

The ministry has rarely pressed criminal charges against companies for involvement in such illegal conduct in various campaigns targeting data crimes since the Cybersecurity Law came into effect in June 2017.

But that doesn’t mean companies can rest easy, because any involvement in such criminal cases can still have serious consequences.

— More prosecutions —

At a press conference yesterday, the ministry said that more than 13,000 individuals had been arrested last year for the theft and sale of personal information in more than 5,000 cases nationwide.

China included the protection of personal information in the Criminal Law in 2007 and introduced the concept of infringements of citizen’s personal information in an amendment in 2015. In 2017, the Supreme People's Court and the Supreme People's Procuratorate jointly released Judicial Interpretations on Criminal Cases Involving Infringement of Citizens' Personal Information.

The interpretation came into effect the same time as the Cybersecurity Law, giving a boost to the crackdown by the police on illegal dealing in personal data for profit.

According to Zhang Jun, the procurator general of the Supreme People’s Procuratorate, China’s prosecutorial authorities filed lawsuits against 1,029 individuals in 2016 over alleged personal information-related crimes; that figure increased to 4,407 in 2017. The number for the first nine months of 2018 is 3,283.

— Safe for now —

Although there have been cases in which companies have been caught committing crimes involving data infringement under the Criminal Law, they have typically involved businesses established for the sole purpose of profiting from illegal data trading.

Companies that engage in normal, legal, commercial activities have largely escaped prosecution, but not because there are no means of holding them criminally liable for data infringements.

The Criminal Law stipulates that organizations can face monetary penalties and that individuals involved in such crimes can be imprisoned for failures to fulfil the responsibilities of security management if negligence results in consequences such as the illegal distribution of large amounts of information and serious data leaks.

One reason for the small, albeit growing, number of prosecutions could be that the police are focusing on eliminating illegal data trading for a profit or as it related to other crimes such as fraud, instead of whether companies have put in place sound compliance programs to prevent data from being misappropriated.

Companies also fall victim to data crimes, as data sold is often stolen from a company by a rogue employee or hackers, or by employee who has acquired data from an illegal source without informing their employer.

— Enhanced regulation —

Information technology network operators may nevertheless face lesser consequences for misconduct, such as negligence when it comes to maintaining internal security.

Although administrative measures such as fines may be a slap on the wrist for many companies, damage such as reputational harm can have big impact at a time when the public increasingly demands security for their personal data.

The crackdown on data crime could also lead to a tightening of the regulation of companies’ daily operations when industry regulators ask network operators to play a bigger role in preventing their data assets from being taken advantage of.

The police said at yesterday's press conference that they had conducted more than 140,000 inspections of the security management at Internet companies under a set of rules that allow police officers to check companies' cybersecurity responsibilities.

Another example of the use of rules is the People’s Bank of China’s new regulations on strengthening the information security of credit reference services. Those rules, released late last year, are understood to be the result of sales of credit information by employees of institutions with access to those databases.

The central bank operates the country credit system and is connected to institutions such as commercial banks across the country.

Its new rules have established a review mechanism for how well banks protect credit data from being leaked, and rate their performance. The consequences of a criminal incident such as the illegal sale of credit data would land the institution involved with the lowest score, and it could face a suspension of services and legal proceedings.

It is likely that more industry regulators, particularly those in sectors in which personal data can be sensitive and potentially of high value, such as medical care, transportation and education, will follow suit in requiring more efforts from network operators as they step up regulation of data protection.

GDPR