Case Explained: A corporate guide to data crime prevention | China – Legal Perspective

Amid swift growth of the digital economy, e-commerce now drives social and economic development. Handling information – collecting, storing, processing and transmitting it – is part of daily business operations, and data has steadily become a central asset in corporate competition.

But some companies pursue profit by illegally obtaining, selling or providing personal information – or even using scraping tools to pilfer data – exposing themselves to serious criminal liability.

Based on court rulings and practice, the authors of this article identify principal risk categories and suggest tailored responses to help businesses build robust data-security protections.

Criminal risks

Illegally obtaining, selling or providing personal information. Under China’s criminal law, selling or providing a citizen’s personal information to others in breach of relevant state provisions constitutes an offence where the circumstances are serious.

Pursuant to sub-paragraphs 3 to 8 of article 5 of the judicial interpretation on personal information crimes, jointly issued by the Supreme People’s Court and the Supreme People’s Procuratorate, “serious circumstances” are identified as follows:

“(3) illegally obtaining, selling or providing 50 or more items of information concerning a person’s whereabouts, communications content, credit information, or property;

(4) illegally obtaining, selling or providing 500 or more items of other personal information that may affect personal or property safety, such as accommodation details, communication records, health related data, and transaction information;

(5) illegally obtaining, selling or providing 5,000 or more items of personal information not covered in sub-paragraphs (3) or (4);

(6) where quantity does not separately reach the thresholds in sub-paragraphs (3) to (5), but the aggregated proportion meets the relevant quantitative standards;

(7) where illegal gains amount to RMB5,000 (USD720) or more;

(8) where personal information obtained in the course of duty or service is sold or provided to others, and the data volume or financial gain reaches half or more of the standards specified in sub-paragraphs (3) to (7).

In practice, enterprises processing bulk personal data may easily exceed legal numeric limits. Examples include storing several hundred sensitive records during unauthorised collection and selling customer information in bulk to a third party, either of which can suffice to trigger criminal liability.

Of greater concern is that knowingly providing personal data to a third party for fraudulent or other criminal use constitutes a prosecutable offence, irrespective of the data volume or financial gain.

Many companies – whether through systemic weaknesses or deliberate non-compliance – mistakenly treat such conduct as an administrative matter, when in fact it entails major criminal liability. Penalties range from corporate fines to imprisonment, detention and monetary sanctions for directly responsible personnel, representing grave legal and financial cost.

Illegally accessing data. Some companies seeking to offer enhanced data services to attract customers may use web-scraping tools to harvest information such as order details or client lists from competitor platforms without authorisation. Such conduct can readily constitute the offence of “illegally obtaining computer information system data”.

In a guidance case published by the Supreme People’s Procuratorate concerning illegal acquisition of computer information system data, company Z in Shanghai – without authorisation from Shanghai company E – conducted “external scraping” by using illicit technical measures and taking advantage of flaws in company E’s website to evade IP limitations and verification code controls. This enabled company Z to amass extensive stored information held by company E.

Through “internal scraping”, company Z also utilised merchant account passwords it had obtained, and a self-developed browser extension to breach company E’s merchant-side agreement and download further substantial volumes of stored data.

Company E’s stored information, of significant commercial worth, was taken without permission, with higher traffic-related costs and direct economic loss incurred totalling more than RMB40,000.

Company Z subsequently faced charges relating to illegally obtaining computer information system data.

Apart from such typical criminal liabilities, corporate data activities may also risk charges such as damaging computer information systems, failing to fulfil cybersecurity management obligations, aiding information network criminal activities, infringing trade secrets and committing fraud.

Therefore, managing data throughout its lifecycle – from collection and acquisition to storage, processing and transmission – has become an essential business requirement.

Countermeasures

Since illegal acquisition, sale and provision of personal data – together with unauthorised system intrusion for data harvesting – represent prominent criminal risks for companies in the big-data era, businesses must proactively establish a dual layer defence combining legal compliance and technical controls before such risks materialise into actual liability.

Build a robust data security governance framework. Enterprises are required to adhere fully to regulations such as the Data Security Law, Personal Information Protection Law and Cybersecurity Law, as well as applicable industry rules.

They must create and continually refine data security management systems aligned with their business operations to guarantee legal and regulatory compliance in data handling. An effective data security or compliance system may serve as key proof in court that the company did not act with criminal intent.

Collect information compliantly and conduct regular self-assessments. Companies should clearly define data security responsibilities across departments, establish classification and grading rules for data management, and carry out periodic compliance reviews.

These should focus on high-risk areas such as the use of web scraping tools and app permission settings. Any identified vulnerabilities must be logged and remedied within a set timeframe.

Strengthen technical safeguards. Enterprises should implement systems for data encryption and access control, enforce multi-factor authentication for accessing core data, and continually monitor for anomalies such as unusual downloads or bulk exports – responding promptly to any suspicious activity.

Enhance personnel management. Employees should be required to sign data confidentiality agreements upon joining the company. When staff leave, their system access must be promptly revoked and their data holdings reviewed. Regular legal training should be provided to explain relevant criminal liabilities and raise risk awareness among employees.

Streamline risk response procedures. If a company gets involved in a criminal matter, it should promptly engage specialist criminal law counsel to clarify the division of responsibility between the organisation and its individuals.

Where the offence arises from an employee’s personal misconduct, the company may present evidence of its internal compliance systems and the employee’s unauthorised acts, relying on factual and objective documentation to seek a reduction or even elimination of corporate criminal liability.

Ding Wen is an associate and Su Zhongming is a director of the compliance practice centre at Starrise Law Firm