Privacy & Information Security Law Blog

In recent months, the Chinese government has focused an increasing amount of attention on the protection of personal information. As we previously reported, there have been a number of new data protection regulations in China, including the Decision on Strengthening the Protection of Information on the Internet issued by the Standing Committee of the National People’s Congress in December 2012, and new rules issued by the Ministry of Industry and Information Technology this July to protect personal information collected by telecommunications and Internet service providers. This focus also is illustrated by Shanghai authorities’ recent crackdown on crimes involving personal information.

Reports indicate that in early August of this year, public security authorities in Shanghai launched a fourth round of enforcement related to personal information violations. According to one of these reports, this recent crackdown involved the investigation of 126 persons, 35 of whom have been detained, and uncovered more than 140 cases of possible criminal activity. Among those who have been arrested is a British citizen who has been operating an investigation and consultation business in Shanghai since 2004. This individual reportedly collected, purchased or otherwise illegally obtained personal information that he used to compile credit reports which he sold to clients that included multinational companies, financial institutions and law firms. The credit reports contained information such as residence registration, family members, exit and entry information, and ownership of real estate, vehicles and other property.

Thus far, news reports have not disclosed much detailed information about the facts of the case, such as how the suspect obtained the personal information, whether any government personnel may be involved or whether the activities caused any actual injury or damage to individuals or entities. Nevertheless, the story indicates that “purchasing” personal information may be subject to prosecution in China. Article 253.A of the P.R.C. Criminal Law prohibits personnel working for government agencies and institutions in the financial, telecommunications, transportation, education and medical sectors from selling or illegally providing citizens’ personal information obtained in the course of the performance of their duties. The law also prohibits any other individual or entity from stealing or illegally obtaining personal information through other means. Although it is unclear exactly what may constitute “illegally obtaining” personal information, the investigation of the British suspect could be an example of how this term will be applied in practice. Certainly, it suggests that the “purchase” of personal information may be considered “illegally obtaining” the information.

Although we have noted a general effort to strengthen the protection of personal information in China in recent months, the need to conduct frequent crackdowns (as well as the lack of official interpretations for the implementation of data protection rules) tends to suggest weaknesses in the rules and a widespread lack of compliance.