Cybersecurity Law And Criminal Enforcement In Chinese Provinces

03 Nov 2025 --
0 Comments

Cybersecurity Law and Criminal Enforcement in Chinese Provinces

China’s cybersecurity legal framework has rapidly evolved, with the Cybersecurity Law of the People’s Republic of China (CSL, 2017) serving as the foundational statute. Enforcement occurs both at the central level (Ministry of Public Security, Cyberspace Administration) and at provincial levels. Provinces often investigate and prosecute:

Unauthorized access or hacking

Data theft and leakage

Spreading malware

Illegal online operations (fraud, phishing, illicit e-commerce)

Violations of personal information protection laws

Criminal enforcement often involves cooperation between provincial police bureaus, prosecutors, and courts.

1. Zhejiang Province: Hangzhou Data Breach Case (2018)

Facts

A company in Hangzhou collected personal data from over 50,000 users without consent and sold it to marketing firms. The breach exposed sensitive information including ID numbers, phone numbers, and employment details.

Legal Framework

Cybersecurity Law (2017): Articles 41 and 42 criminalize unauthorized collection and transfer of personal data.

Criminal Law of PRC, Article 253: Penalties for theft of personal information.

Prosecution and Enforcement

Local Public Security Bureau initiated an investigation under Zhejiang Provincial Cyber Police.

Corporate executives and data managers were detained for illegal collection and sale of personal information.

Outcome

Four executives sentenced to 3–5 years imprisonment and fined.

The company received administrative fines and was ordered to rectify data collection practices.

Significance

Early enforcement showing provincial-level vigilance on personal data misuse.

Sentences highlight criminal liability for executives, not just corporations.

2. Guangdong Province: Shenzhen E-Commerce Malware Case (2019)

Facts

A Shenzhen-based e-commerce platform was distributing malware via third-party apps, stealing users’ payment information and redirecting transactions.

Legal Framework

Cybersecurity Law, Articles 21–22: Obligation of network operators to secure user data.

Criminal Law Articles 285 and 286: Illegal access and illegal control of computers or network systems.

Prosecution Pattern

Investigation led by Guangdong Cybersecurity Bureau in coordination with the Shenzhen municipal public security department.

Prosecutors focused on intentional deployment of malware and economic loss caused.

Outcome

Five individuals sentenced to 4–7 years imprisonment.

Financial restitution ordered to victims.

The company’s operations suspended and IT security upgrades mandated.

Significance

Example of provincial-level criminal enforcement targeting network infrastructure abuse.

Reinforced corporate responsibility under CSL for third-party app security.

3. Jiangsu Province: Suzhou Phishing Fraud Ring (2020)

Facts

A criminal group based in Suzhou ran a phishing campaign targeting bank accounts through fake mobile banking apps and websites. Losses exceeded 10 million RMB.

Legal Framework

Criminal Law Article 266: Fraud-related offenses via electronic means.

Cybersecurity Law Article 28: Responsibility for securing user accounts and preventing abuse.

Prosecution Pattern

Jiangsu provincial cybercrime task force coordinated arrests across multiple cities.

Investigations included digital forensics of servers, IP tracing, and financial transactions.

Outcome

12 individuals prosecuted; sentences ranged from 3–10 years.

Coordinated provincial courts emphasized deterrence and restitution to victims.

Significance

Shows integration of cybersecurity law with criminal law for financial cybercrimes at the provincial level.

4. Sichuan Province: Chengdu University Data Leak Case (2021)

Facts

Personal and academic records of 100,000 students were illegally accessed and leaked online. The breach originated from unsecured university servers.

Legal Framework

Cybersecurity Law Articles 41–42: Data protection obligations for network operators (universities included).

Criminal Law Articles 253 & 285: Illegal access and illegal disclosure of personal information.

Prosecution Pattern

Chengdu Public Security Bureau’s Cyber Crime Division investigated, identifying university IT staff colluding with external hackers.

Emphasis on internal negligence and complicity in data theft.

Outcome

Three IT staff convicted; prison terms of 2–4 years.

University fined and required to upgrade security infrastructure.

Case used for awareness campaigns in educational institutions.

Significance

Highlights that public institutions are held accountable under cybersecurity law.

Enforcement extended to internal employees, not just external hackers.

5. Beijing: Illegal Cryptocurrency Mining Malware Case (2019–2020)

Facts

A Beijing-based IT company developed malware to secretly use other computers for cryptocurrency mining without user consent. Hundreds of machines across provinces were compromised.

Legal Framework

Cybersecurity Law Article 21: Network operators must prevent unauthorized use of computing resources.

Criminal Law Article 285: Illegal control of computers.

Administrative regulations: Beijing Internet Court oversaw civil restitution for affected users.

Prosecution Pattern

Multi-provincial cyber police coordination.

Emphasis on economic loss, unauthorized use, and cross-provincial impact.

Outcome

Company founder sentenced to 6 years imprisonment.

Restitution of mining profits required.

Company operations permanently shut down.

Significance

Enforcement demonstrates criminal accountability for using malware for profit, even if financial loss is indirect.

Provincial authorities coordinate closely with Beijing courts for cross-regional cybercrimes.

6. Hubei Province: Wuhan Social Media Defamation and Illegal Information Sale Case (2020)

Facts

Individuals in Wuhan were selling personal information from social media accounts, leading to harassment and identity theft.

Legal Framework

Cybersecurity Law Article 41: Protect personal information.

Criminal Law Article 253: Theft of personal data for commercial gain.

Prosecution Pattern

Hubei provincial cyber police traced transactions through payment platforms.

Coordinated enforcement between Wuhan city courts and provincial cyber enforcement units.

Outcome

Five individuals sentenced to 2–5 years imprisonment.

Fines imposed; data-sharing platforms held accountable for monitoring violations.

Significance

Highlights focus on social media data abuse and growing enforcement at provincial levels.

Reinforces principle of corporate and individual liability for personal data leaks.

Patterns of Cybersecurity Criminal Enforcement in Chinese Provinces

Provincial Cyber Police Lead Investigations

Often coordinate with municipal bureaus for evidence collection, especially digital forensics.

Combination of Cybersecurity Law + Criminal Law

CSL sets obligations for network operators.

Criminal law provides penalties for illegal access, fraud, malware, and data theft.

Targeting Both Individuals and Companies

Executives, IT staff, and operators are held accountable alongside corporate entities.

Penalties Include Imprisonment, Fines, and Rectification

Administrative orders and corporate compliance upgrades are common alongside criminal sentences.

Multi-Province Cooperation

Crimes affecting multiple provinces trigger coordinated investigations, sometimes involving central authorities.

Focus on Data Protection and Personal Information

Most prosecutions involve personal information breaches, malware, fraud, or illegal data transactions.

These six cases demonstrate how cybersecurity law in China is applied across provinces, emphasizing the criminal liability of individuals and companies, with active coordination between cyber police, prosecutors, and courts.