​By Guan Feng, Luan Jianqi, Chen Yun, Dai Shuhui King & Wood Mallesons

The Cybersecurity Law of the PRC (the “Cybersecurity Law”)[1] and the Judicial Interpretations on Issues Concerning the Application of Law in Handling Criminal Cases of Infringing on Citizens’ Personal Information (the “Judicial Interpretations”)[2], both coming into force most recently, dedicate a significant portion of the law to deal with the protection of citizens’ personal information.  With a lower threshold for criminal conviction and much more detailed and specific provisions, these laws indicate the trend that China has been making growing efforts to protect citizens’ personal information and to crack down on the infringement of citizens’ personal information.

Relevant laws and regulations

1. Crime of infringing on citizens’ personal informationThe crime of infringing on citizens’ personal information is set forth in Article 253(A)[1] of the Criminal Law of the PRC.

  • Definition: the crime of infringing on citizens’ personal information refers to that, which amounts to a serious offence against the law, of selling or providing citizens’ personal information to third parties in violation of the relevant laws and regulations or stealing or illegally obtaining citizens’ personal information by other means.
  • Circumstances whereby a severer punishment shall be imposed: severer punishment will be imposed on selling or providing to third parties in violation of the relevant laws and regulations citizens’ personal information which is obtained during the course of performing duties or providing services.
  • Range of sentences: if amounting to a serious offence in violation of the law, the offender shall be subject to imprisonment of no more than 3 years or criminal detention and concurrently or separately a fine; if amounting to a particularly serious offence in violation of the law, the offender shall be subject to imprisonment of above 3 years but less than 7 years and concurrently a fine.
  • Crimes committed by organizations: where an organization commits the crime, a fine shall be imposed on the organization, and the persons directly in charge of the organization and other persons directly liable shall be punished respectively in accordance with the provisions of Article 253(A).

2.  The Judicial Interpretations

Adhering to the consistent principle of imposing severe punishment, the Judicial Interpretations jointly promulgated by SPC and SPP further elaborate on the relevant provisions and quantifies the threshold for criminal conviction mainly by:

  • further clarifying and expanding the scope of the personal information;
  • clarifying what constitutes the “violation of the relevant laws and regulations”;
  • clarifying what constitute “providing citizens’ personal information” and “illegally obtaining citizens’ personal information by other means”,
  • quantifying the “serious offence in violation of the law” and the “particularly serious offence in violation of the law” and lowering the threshold for criminal conviction;
  • adopting the same threshold for criminal conviction for both organizations and individuals; and
  • lowering the threshold by half for criminal conviction for certain special types of offenders.

3. Protection of personal information under the Cybersecurity Law

Article 37 of the Cybersecurity Law provides that the personal information and important data collected and generated by the critical information infrastructure operators during their operations within the PRC, shall be stored in the PRC; if for the purposes of business operations it is truly necessary for the personal information and the data to be transferred offshore, a security assessment should be conducted in accordance with certain measures to be jointly formulated by the Cyberspace Administration of China and the relevant departments of the State Council; where laws and administrative regulations provide otherwise, such provisions shall prevail.

Criminal risk points in banking business

In this context, considering that in the ordinary course of banking business there could be plenty of operations involving citizens’ personal information, various malpractices in using such information could potentially lead to criminal penalties.  For example, the following questions may be asked by you in order to identify certain highly risky points in handling citizens’ personal information during the ordinary course of banking business:

  • Could personal information (such as ID number, address, etc.) collected during the course of personal banking business be provided to third parties for business operation purposes? How to provide such information? Is a written consent from the information owner required? How specific should the written consent be?
  • In order to explore the market, it may be necessary to cooperate with some “big data” operators to obtain the information of potential clients.  In such business model, how to control, avoid or mitigate risks of criminal liabilities?
  • In corporate banking business, whether consents from the relevant corporate personnel (such as directors, supervisors, senior managers, etc.) are required for collecting and using their personal information? What is the best practice so as to avoid criminal liabilities while efficiently handling corporate banking business?
  • How to calculate the entries of the personal information? Should the information owner be taken as the basis or the information content as the basis?
  • As to the cross-border personal information transfer, how to comply with the so-called “relevant laws and regulations” so as to avoid criminal liabilities?
  • When checking the clients’ information and credit status, how to cooperate with the information providers lawfully and to avoid the so-called “illegal providing/obtaining clients’ personal information”?

Currently, SPC, SPP and the banking regulators (such as the People’s Bank of China and the China Banking Regulatory Commission) are all emphasizing the protection of citizens’ (financial consumers’) personal information.  Banks will unavoidably be engaged in a large number of activities involving personal information, whether in personal banking business or in corporate banking business, whether in existing business operation or in new market exploration.  Therefore, to avoid criminal liabilities as the result of infringement of citizens’ personal information would be of extreme importance to banks operating in China.

Please feel free to contact us should you be keen to avoid the said criminal liabilities and to achieve compliance at both of the internal policy level and the operational level.

Note:

[1] Passed and promulgated by the Standing Committee of the National People’s Congress on 7 November 2016 and came into force on 1 June 2017.

[2] Promulgated by the Supreme People’s Court (“SPC”) and the Supreme People’s Procuratorate (“SPP”) on 8 May 2017 and came into force on 1 June 2017.

[3]  Article 253(A) of the Criminal Law of the PRC provides:

“whoever, in violation of the relevant laws and regulations, sells or provides citizens’ personal information to third parties, if amounting to a serious offence against the law, shall be sentenced to imprisonment of no more than 3 years or criminal detention and concurrently or separately subject to a fine; if amounting to a particularly serious offence against the law, shall be sentenced to imprisonment of above 3 years but less than 7 years and concurrently subject to a fine.

Whoever, in violation of the relevant laws and regulations, sells or provides to third parties citizens’ personal information, which is obtained during the course of performing duties or providing services, shall be subject to a severer punishment in accordance with the preceding provisions.

Whoever steals or illegally obtains the above-mentioned information by other means shall be punished in accordance with the preceding provisions.

Where an organization commits any of the crimes mentioned in the preceding provisions, a fine shall be imposed on the organization, and the persons directly in charge of the organization and others directly liable shall be punished respectively in accordance with the preceding provisions.”