15 Dec 2015 Personal Information Protection under Amendment IX to The Chinese Criminal Law
The Chinese Internet industry has been developing at a rapid speed especially in the B2C and C2C e-commerce.
On November 11th, 2015, the sales volume of Taobao (a B2C platform owned by Alibaba Group) reached CNY 91.2 billion (around 14 billion USD), with around 680 million online deals completed and the packages delivered all across the country.
Large number of information and data are consecutively circulating, such as names, addresses, ID and passport information, mobile and credit card numbers, etc. And such information is handled by a large number of persons, including but not limited to Internet websites and platforms’ employees, engineers, customer and after-sale services, delivery men, not mentioning possible handling by public servants and governmental bodies, such as Public Security Departments.
In 2015, C-trip, one of the most profitable online travel agencies in China, was hacked and, according to public media reports, approximately 16,800 users’ personal data were leaked, including credit and payment card numbers and CVV, which were not encrypted. Calls poured from credit card users to their banks to ban the use of their credit cards.
Under such situation, the Standing Committee of the National People’s Congress has enacted the Amendment IX to the Chinese Criminal Law (hereinafter “amendment IX”), which became binding on 1 November 2015. Among many other changes, data protection is highly strengthened.
1. Existing Laws and/or Regulations with Data Protection
• The Decision on Strengthening Online Information Protection.
The Decision on Strengthening Online Information Protection (the “Decision”) was issued by Standing Committee of the National People’s Congress on December 28th, 2012. The Decision is designed to protect sensitive information that may potentially identify an individual or leak personal privacy. Such decision applies to companies/entities in both the public and private sectors, including governmental officials. Nevertheless, personal information protection only lies in digital scope. Although comments said this Decision lays a milestone for the legislation in privacy protection in China, its wording remains vague; its provisions are general and no significant penalty nor punishment are enacted.
• The Guide of Personal Information Protection on Information Security Technology, Public and Commercial Information Service System.
On February the 1st, 2013, the Guide of Personal Information Protection on Information Security Technology, Public and Commercial Information Service System (hereinafter the “Guide”) was issued by Ministry of Industry and Information Technology. The “Guide” is the first national standard of personal information protection. It is not a law, whereas they clarify key expectations for various organizations (except governmental agencies), collecting personal information. It also outlines how personal information is to be handled in four phases: collection, processing, transfer, and deletion. Because it is only a guideline with definitions and standards of personal information, its implementation has been difficult to be assessed.
• Rules for Protection of Personal Information Protection of Telecom and Internet Users (the “Rules”)
The Rules were formulated in accordance with the Decision on Strengthening Protection of Network Information (the “Decision”), issued by the Ministry of Industry and Information Technology(“MIIT”) which came into effect on September 1st , 2013. Because telecommunications operators and Internet information service providers (collectively, the “Operators”) in China do not attach sufficient importance to user’s personal information security, the rules apply to activities involving the collection of personal data in the course of providing telecommunications and Internet information services. And it is implemented by the telecommunications regulatory authority, composed of MIIT and its local counterparts.
The Rules set up the definition of personal information; standards of collection and use of information; management of agents; security assurance measures and legal liability. With these regulations, the Rules are intended to make clear the guidelines that Operators must comply with when collecting and using user personal information in the course of providing their services. The measures should be taken by the Operators in order to protect the users’ lawful interests.
• Regulation on Medical Records Management in Medical Institutions
This Regulation aims to strengthen medical records management in medical institutions, ensuring medical quality and safety and safeguarding the legitimate rights and interests of doctors and patients.
The Regulation also set up the definition of medical records. It applies to medical record management in all kinds of medical institutions at all levels. Medical institutions and medical staff shall strictly protect patient privacy. Any leakage of patients’ medical records for non-medical, non-teaching or non-research purposes is forbidden.
• Consumer Rights and Interests Protection Law, PRC
The newly revised PRC Consumer Rights and Interest Protection Law came into effect on March 15th, 2014 fills the gap between the legislations and the development of Internet industry. In this newly Consumer Rights and Interest Protection Law, there are two articles dealing with the protection of consumer’s personal information.
Art. 14 provides that consumers shall have the right to have personal information protected in accordance with the law when purchasing and using merchandise or services.
Art. 29 provides a series of measures when businessmen collect or use consumer personal information obtained either online or offline.
Further, Art. 29 also requires the consent of the consumers when a business operator collects and uses their information.
However, it does not define the format of such a consent, and whether it shall be given in oral or in a written form. The revised law was launched with the background of changes of consumption patterns, payment modes and so forth. Although perfectible, it initiates a legislation trend to pay more attention on personal information protection and makes the Consumer Rights Law an internal part of the laws and regulations governing data privacy in China.
• Measures for Administration of Population Health Information (the “Measures”)
The measures are issued by the National Health and Family Planning Commission, coming into effect on May 14th, 2014.
The Measures define population health information as the basic population information, medical service information and other population health information generated by medical, health and family planning service agencies of various levels in their service and management process in accordance with the national laws and regulations and their duties.
• Administrative Measures for Online Transactions.
The newly Administrative Measures for Online Transactions came into effect on March 14th, 2015. This administrative measures apply to all online sales of products or services, including via mobile applications. It regulates the activities of individuals, enterprises and other entities that engage in applicable online transactions with consumers or other enterprises or entities, especially regarding to payments and settlements in connection with product or service sales, Internet access, server hosting, website and webpage design, third-party transaction platforms, credit ratings and virtual space rental, including cloud applications.
2. The New Amendment IX Regarding to Data Protection
Basically, there are two aspects which are amended in contrast with the previous one.
(i) Scope of Entity and penalties increased for the crime of “illegal acquisition of citizen’s personal information” and the crime of “sale and/or illegal provision of citizen’s personal information.”
Article 253(1) of the Criminal Law is revised as follows: “Whoever, in violation of the relevant provisions of the State, sells or provides others with the personal information of a citizen with serious circumstances shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention and concurrently or separately sentenced to a fine; if the circumstances are severe, the person shall be sentenced to fixed-term imprisonment of three to seven years and concurrently sentenced to a fine.”
Previously, Chinese Criminal Law prohibits employees of government agencies or institutions in the financial, telecommunication, transportation, education or medical sectors from selling or otherwise unlawfully providing to third parties personal data of any Chinese citizen to which these employees have access in the course of performing duties or services at any such agency or institution.
However, in accordance with this amendment, Art. 253(1) is now for all entities.
Therefore, Article 253 allows a stricter protection of personal information.
(ii) Crime of failing to perform the information network security management obligation of network service providers introduced in the Amendment IX.
One article is added after the Article 286 of Criminal Law to be the Article 286-1, providing that in any of the following circumstances where network service providers do not perform information network security management duties as provided by law or administrative regulations, and fail to make corrections upon being ordered by the oversight and management department, they could face sentence of up to three years imprisonment, short-term detention or put under surveillance, and/or a fine.
Being deemed as a signal to the IT industry and all entities dealing with management of data, Amendment IX is intended to increase the protection of personal data handled through Internet. Currently and as above mentioned, relevant rules are scrambled all across numerous legislative and administrative papers. Thus, it is important for entrepreneurs and multi-national companies expanding business in China through/with Internet tools, to treat customers/users information more carefully than ever so as to avoid unnecessary troubles and eventually criminal liability.
 China: the Strengthening of Online Private Information Protection, see in
 China: Rules for the protection of personal information of telecommunications and internet users. See in