Home / Publications / JunHe Legal Updates / details of junhe law review

The Amendment (IX) to the Criminal Law Reinforces Personal Information and Cyber Security Protection

2015.10.30 DONG, Xiao (Marissa)、Lena (Qiong) YUAN、Lu LUO

The Amendment (IX) to the Criminal Law of the People's Republic of China (the “Amendment IX”) was officially promulgated on August 29, 2015 and will come into force on November 11, 2015. With regard to crimes involving a citizen's personal information and cyber security, the Amendment IX will provide stricter regulations on the crimes of illegally providing and acquiring personal information and cyber security breaches, as summarized in the highlighted points below.

Applicability scope broadened and penalties increased for the crime of “illegal acquisition of citizen’s personal information” and the crime of “sale and/or illegal provision of citizen’s personal information”

  • The crime of “sale and/or illegally providing citizen’s personal Information” is no longer limited to specific industries. If personal information that is illegally provided or sold is obtained in the course of performing functions or providing services, an aggravating factor shall apply.

  • The maximum penalty is increased from three years to seven years, meaning the criminal liabilities for crimes that infringe on the personal information of citizens are increased. 

However, we noticed that the previous draft of the Amendment IX released for public comment specified that the “unauthorized sale or illegal provision” of a citizen’s personal information constitutes a crime. This clause was not adopted in the final version of the Amendment IX.

Crime of failing to perform the information network security management obligation of network service providers introduced in the Amendment IX

The Amendment IX introduced criminal liabilities for network service providers that provide information network security management. Any network service provider that fails to perform the information network security management obligation, as prescribed in any law or administrative regulation, and refuses to adopt remedial measures after being ordered by the regulatory authority shall be fined and/or sentenced to (a) imprisonment of not more than three years, (b) criminal detention or (c) surveillance only under any of the following circumstances:

  • Causing the dissemination of a large amount of illegal information;

  • Causing the leakage of users' information, with serious consequences;

  • Causing the loss of criminal case evidence, with serious consequences;

  • Any other serious circumstance.

Thus, if any network service provider fails to properly perform its cyber security management obligations, it could be subject to criminal liabilities in the above circumstances. Such liabilities would be in addition to the administrative sanctions provided in the existing administrative regulations (such as the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, according to which a network service provider may be ordered to make corrections within a prescribed time limit, warned and fined not less than RMB 10,000, but not more than RMB 30,000 by telecommunications administrative bodies).

Crimes conducted by using the information network introduced in Amendment IX

The Amendment IX regulates crimes conducted by using the information network and regulates severe conduct such as “establishing a website or a communication group mainly for committing fraud, teaching how to commit a crime, producing or selling any prohibited or controlled article, or committing any other illegal or criminal activity; issuing any information on the production or sale of drugs, guns, obscene articles, or any other prohibited or controlled article or any other illegal or criminal conduct; issuing any information for committing fraud or any other illegal or criminal activity.” In addition, it regulates respective crimes and penalties applicable to any person who (while obviously aware that any other person is committing a crime by using an information network) provides Internet access, server custody, network storage, communications transmission or any other technical support, or provides advertising, payment settlement or aids in the commission of such crimes. 

JunHe is the only Chinese law firm to be admitted as a member of Lex Mundi and Multilaw, two international networks of independent law firms. JunHe and selected top law firms in major European and Asian jurisdictions are “best friends.” Through these connections, we provide high quality legal services to clients doing business throughout the world.