The PRC Supreme People’s Court and Supreme People’s Procuratorate have recently issued the Interpretation of Various Issues Concerning Application of Law in Handling Crimes of Infringing upon Citizen’s Personal Information (the “Interpretation“). The Interpretation clarifies several important issues in bringing criminal cases for infringing personal privacy and broadens the definition of personal information.
The Interpretation came into effect on 1 June 2017 at the same time as the PRC Cyber Security Law, both of which indicate China’s continued focus on privacy protection.
What it means for companies
Companies now face greater exposure of privacy infringement and risk of criminal liability. The Interpretation confirms that the infringement of personal information is a unit offence, ie companies, together with in-charge and responsible employees, will be prosecuted under the offence.
The Interpretation also attributes criminal responsibilities to companies if they fail to meet certain administrative requirements of privacy protection. For example, a company will be held liable for repeat violations of illegally obtaining, selling or providing personal information (not considering the quantity of personal information in the following first key feature), if the company has been subject to administrative penalties within two years, or has been subject to criminal penalties for infringement of personal information.
It is also a criminal offence if a network service provider leaks personal information which causes serious consequences. This can take place if the provider refuses to fulfill its management obligation of information network security as required under PRC laws and regulations, and refuses to follow the rectification order from the relevant authority.
Key features of the Interpretation
- Quantifying the thresholds of indictable privacy infringement
Illegal sale, provision, purchase, or acquisition of personal information is an indictable offence if the offence is deemed “severe or extremely severe”. However, it was not clear to what extent an offence will meet the requirement of severity before the release of the Interpretation. The Interpretation provides detailed scenarios which will be deemed severe and extremely severe, including the quantified thresholds as follows:
a. no less than 50 pieces of personal information in terms of an individual’s whereabouts, content of telecommunication, credit information or property information;
b. no less than 500 pieces of personal information in terms of an individual’s lodging, telecommunication record, health status or transaction information which may impact the individual’s personal or property security;
c. no less than 5,000 pieces of personal information other than the above two scenarios; or
d. no less than 5,000 RMB of illegal gain.
If the personal information is sold or provided by a party who obtained such personal information while fulfilling obligations or providing services, the above thresholds will be reduced by half. In addition, if a party repeatedly provides personal information of the same individual(s) to different parties, the quantity of personal information will be aggregated when assessing if the threshold has been met.
- Expanding the definition of personal information
According to the Interpretation, personal information means any information, individually or combined with other information, that can identify a specific individual. Therefore, a single piece of information (eg name or mobile phone number) will fall within the definition if it identifies a specific individual. In the past, we observed from prior cases that it would take at least three pieces of information of a specific individual to be deemed sufficient to identify an individual. In addition, for the first time, the definition of personal information covers information reflecting a specific individual’s activities.
- Prohibiting publication of personal information
Article 3 of the Interpretation prohibits the publication of personal information through the internet or other channels without consent, even if the information is legally obtained. This is to address the increasing trend of “cyber manhunt”[1] which has caused significant material and moral damage (such as distress and reputational damage) to information owners. If companies are required to publicize employee or consumer information in certain situations, consent from the information owner must be secured prior to the publication.
Actions to take
Companies in China, including MNCs, should review their policies to ensure they are ready to meet the increasing responsibilities brought by the new developments. Companies handling personal information in their daily operations should pay particular attention to their procedures. For example, companies which collect and preserve large volumes of consumer information, such as hotels, airlines and pharmaceutical companies, may consider conducting a comprehensive health check to identify any gaps in their privacy protection.
An effective privacy policy, sound implementation and training of employees are key to prevent companies and employees from privacy infringement. The value of these actions has been reinforced in a recent High Court judgment of the Gansu Province. Six employees of a Chinese subsidiary of an international food company were convicted for purchasing thousands of pieces of personal information from doctors to promote sales of infant formula. The company was exonerated of liability as the relevant policies and code of conduct clearly prohibited paying benefits to doctors or illegally obtaining personal information. The employees were also required to participate in training concerning such policies and code of conduct, and to sign corresponding compliance certificates.
[1] An informal term commonly used in China for large-scale internet search efforts to obtain personal information relating to individuals.
