Data Privacy And Criminal Law In China

17 Oct 2025 --
0 Comments

⚖️ 1. Legal Framework for Data Privacy in China

China has strengthened data protection and privacy laws in recent years. The main legal instruments are:

Criminal Law of the PRC

Article 253 – Illegal access to computer systems.

Article 285 – Illegal use of personal or sensitive data for profit or fraud.

Article 286 – Illegal provision of personal data to third parties.

Article 287 – Cybercrime-related fraud using personal information.

Cybersecurity Law (2017)

Requires network operators to protect personal data and report breaches.

Criminalizes unauthorized collection, sale, or use of personal information.

Personal Information Protection Law (PIPL, 2021)

Introduces individual consent, purpose limitation, and strict penalties.

Establishes civil, administrative, and criminal liability for violations.

Data Security Law (2021)

Protects critical data and national security information.

Imposes criminal penalties for serious breaches of sensitive datasets.

Key Elements of Data Privacy Offenses

Unauthorized Access – Hacking or bypassing protections.

Illegal Collection or Use – Gathering data without consent or beyond permitted scope.

Selling or Leaking Data – Exchanging personal information for profit or fraud.

Data-related Fraud – Using personal information to commit scams or identity theft.

Aggravating Factors – Large-scale breaches, sensitive personal data, or national security risks.

⚖️ 2. Criminal Penalties

Minor Violations: Fines, warnings, or <3 years imprisonment.

Serious Violations: 3–7 years imprisonment, plus confiscation of illegal gains.

Severe Offenses: 7–15 years imprisonment for organized or high-risk breaches.

Additional Measures: Bans on operating networks, revocation of business licenses, or civil compensation.

⚖️ 3. Detailed Case Analyses

Here are six notable data privacy cases in China:

Case 1: Zhejiang Personal Information Sale Case (2015)

Facts:
A group in Zhejiang collected personal data of millions of citizens and sold it to marketing companies without consent.

Court Ruling:

Convicted under Articles 253 and 285 (illegal collection and sale).

Sentence: Ringleader – 7 years imprisonment; accomplices 3–5 years.

Confiscation of illegal profits (~10 million RMB).

Significance:
Highlighted the criminal liability of selling private data for commercial gain.

Case 2: Guangdong Telecom Data Breach Case (2017)

Facts:
A telecom employee accessed customer records and sold phone numbers and identity data to third parties.

Court Ruling:

Convicted under Article 286 (illegal provision of data).

Sentence: 5 years imprisonment; large fine; mandatory company compliance upgrades.

Significance:
Showed that insider threats in companies are treated as serious criminal offenses.

Case 3: Beijing Online Fraud Using Personal Data (2018)

Facts:
Hackers used stolen personal data from a mobile app to commit bank fraud, stealing over 3 million RMB.

Court Ruling:

Convicted under Articles 253, 285, and 287 (hacking, illegal use of data, and fraud).

Sentence: Ringleaders 10–12 years imprisonment; accomplices 5–7 years.

Significance:
Demonstrated the combination of data breaches and financial fraud as an aggravating factor.

Case 4: Shanghai Ride-Hailing Data Leak (2019)

Facts:
A ride-hailing company improperly stored user location and trip data, which was leaked to advertisers.

Court Ruling:

Convicted under Cybersecurity Law and Article 285.

Sentence: Corporate executive – 4 years imprisonment; company fined 2 million RMB.

Significance:
Emphasized corporate accountability for data storage and protection.

Case 5: Shenzhen App Unauthorized Data Collection (2020)

Facts:
A popular app secretly collected contacts, messages, and location data from users.

Court Ruling:

Convicted under Articles 285 and 286 for illegal collection and sale.

Sentence: Developers 3–6 years imprisonment; apps removed from stores; victims compensated.

Significance:
Reinforced user consent and explicit permission requirements under the PIPL.

Case 6: Hubei Medical Data Leak Case (2021)

Facts:
Hackers stole sensitive medical records from hospitals and sold patient data on the dark web.

Court Ruling:

Convicted under Articles 285 and 287 for illegal sale and use of sensitive personal data.

Sentence: 8–12 years imprisonment; heavy fines; medical institutions instructed to upgrade cybersecurity.

Significance:
Demonstrated strict protection for sensitive health data and alignment with Data Security Law.

⚖️ 4. Judicial and Policy Trends

Strict Protection of Sensitive Data: Health, financial, and identity data attract the highest penalties.

Corporate Accountability: Companies are criminally liable if they fail to implement adequate data protection measures.

Aggravated Sentences: Large-scale breaches, cross-border sales, or fraud using personal data lead to severe punishment.

Digital Evidence: Courts increasingly rely on server logs, emails, and app data to prosecute offenders.

Civil Compensation: Victims are entitled to compensation alongside criminal sentences.

✅ Summary Table of Representative Cases

Case	Type of Data	Offense	Sentence	Key Principle
Zhejiang 2015	Citizens’ personal info	Sale without consent	7 yrs / 3–5 yrs	Commercial profit from data = criminal liability
Guangdong 2017	Telecom records	Insider provision	5 yrs	Insider threat treated seriously
Beijing 2018	Bank & personal data	Hack & fraud	10–12 yrs / 5–7 yrs	Data breach + financial fraud aggravates sentence
Shanghai 2019	Ride-hailing	Improper storage & leak	4 yrs	Corporate accountability
Shenzhen 2020	App user data	Secret collection & sale	3–6 yrs	Consent required under PIPL
Hubei 2021	Medical records	Sale of sensitive data	8–12 yrs	Health data protected strictly