Privacy & Information Security Law Blog

The Standing Committee of the National People’s Congress recently passed an amendment to the P.R.C. Criminal Law.  The amendment includes a provision imposing criminal liability on persons who misappropriate personal information during the course of performing their professional duties.  A previous Hunton & Williams Client Alert reported on the amendment that has now become effective as law.

The amendment as passed imposes potential criminal penalties not only on government agency personnel, but also on personnel in financial, telecommunications, transportation, educational and medical institutions who may sell personal information or provide it to others.  In other words, the law appears to allow the imposition of penalties within the private sector, as well as on government officials who misappropriate personal data.  The law can also make an enterprise, or a supervising person within an enterprise (“management personnel with direct responsibility”), liable for such misappropriations that are conducted by the enterprise.

Possible penalties for such misappropriations include imprisonment for less than three years, imposition of a fine (as a single penalty or concurrently with other penalties), or detention.  The amendment also makes intrusions into computer systems outside the government sector and obtaining information stored, processed, or transmitted thereon a criminal act.

Companies in the financial, telecommunications, transportation, educational and medical sectors in China may want to establish internal procedures to prevent misappropriations of personal data within their enterprise, and to undertake employee educational efforts to foster awareness of the importance of handling personal data with appropriate care.