Data Security: Three lessons from China's first criminal compliance case

9 minute read
17 June 2022


Case summary

Between 2019 and 2020, a network technology company (the ''suspect company''), through its Chief Technology Officer (the ''CTO''), instructed the employees (most of whom are technicians) to illegally obtain data from a food delivery e-platform (the ''victim company'') by way of data crawler technology for the suspect company's business purposes. This illegal act caused direct economic loss of more than RMB 40,000 (approximately USD 6,000) to the victim company and is suspected of committing the crime of illegally obtaining computer information system data.

After entering the investigative phase of the case, the suspect company obtained the forgiveness from the victim company by actively compensating the loss. Upon receiving application of the suspect company, the Putuo District Procuratorate of Shanghai issued a procuratorial compliance proposal to the suspect company and initiated a compliance review plan.

Corrective measures

As a first step, the procuratorate visited the suspect company to examine the current status of its operation. After a discussion with the regulatory authorities, the procuratorate put forward suggestions of corrective measures from the aspects of data compliance management, identification, evaluation and handling of data security risk, guarantee of data compliance during operation, etc., to guide the suspect company to make compliance commitments.

Following the procuratorate's suggestions, the suspect company conducted a self-inspection and implemented corrective measures concentrating on its internal management and technical measures. To ensure fulfillment of its compliance commitments, the suspect company further engaged an external legal team to formulate a holistic plan for data compliance.

In addition, the panel that is comprised of members of third-party organisations, including experts from the Cyberspace Administration, a well-known internet security company and some social organisations, supervised the whole data compliance process of the suspect company by means of inquiry, interview, filed visit, review of materials and training sessions, etc.

The result

The panel assessed the compliance measures taken by the suspect company as satisfactory at the end of the examination period. In May 2022, the procuratorate conducted a public hearing on the suspect company's fulfillment of commitments, social harms, and to decide whether the case can be dismissed from further prosecution.

After deliberation, all parties presented at the hearing agreed that the suspect company had rectified the issues and fulfilled its commitments to data compliance, and all parties, therefore, unanimously decided not to prosecute the suspect, its CTO and the employees involved in the case.

Overview of the development of criminal compliance in China

Starting from early 2021, in certain offences, the company and its employees involved in the case can file an application to the procuratorate to trigger the criminal compliance mechanism. In such cases, the suspect may submit an application for compliance rectification to the procuratorate, committing to a deadline for compliance rectification. In the event that such application for criminal compliance is approved, an independent supervisor will be selected to inspect, evaluate and issue an assessment report on the suspect's rectification result.

If the results of the rectification and compliance are satisfactory, the procuratorate will, depending on the circumstances, issue a decision not to prosecute or make a recommendation to the court for a lighter or lesser penalty.

Crimes concerning cyber security, data security and personal information in China's criminal law

Cyber security

  • Crime of illegally intruding into computer information systems;
  • Crime of illegally obtaining computer information system data or controlling computer information systems;
  • Crime of providing programs or instruments for intruding into or illegally controlling computer information system;
  • Crime of destroying computer information systems;
  • Crime of refusing to fulfil obligations of managing the security of information networks
  • Crime of illegally making use of information networks; and/or
  • Crime of facilitating criminal activities on information networks.

Personal information

  • Crime of infringing citizens' personal information.

Business secrets

  • Crime of infringing on business secrets; and/or
  • Crime of stealing, detecting, buying or illegally providing business secrets for foreign agency, organisation or person.

State secrets and state-owned archives

  • Crime of stealing, spying into, buying or unlawfully supplying state secrets or intelligence for entities outside the territory of China;
  • Crime of illegally obtaining state secrets;
  • Crime of intentionally leaking state secrets and crime of negligently leaking state secrets;
  • Crime of forcibly seizing or stealing state-owned archives; and/or
  • Crime of selling or transferring State-owned archives without authorisation.

Takeaways for data compliance

Since 2021, China has entered an era of "robust regulation" concerning cyber security, data security and personal information protection. At present, the top-level design of legal frameworks in respect of cyber security and data compliance, led by the Cyber Security Law, the Data Security Law and the Personal Information Protection Law, has been established, and the compliance requirements and legal consequences are clearly set out.

Even if no data security incident occurs, there are some real risks that the administrative authority may impose penalties in accordance with laws and regulations in respect of data protection, if a company fails to fulfil its data security protection obligations, such as not establishing and implementing a comprehensive data security management system where its operations involve the collection and processing of data.

Any organisation and individual who fails to comply with data security obligations in the course of data processing activities, resulting in data leakage or other serious consequences, may not only be subject to penalties such as imprisonment, fines, suspension of relevant business, suspension of business operation for rectification, revocation of the relevant business permit or business license, but also imprisonment and fines for employees directly responsible and other persons directly responsible.

Obviously, there is still a long way to go in terms of compliance, but for now, building data compliance is something that is imperative for businesses involved in data processing.

In light of the above, there are certain points that companies can keep in mind in terms of establishing data compliance.

1. Proportionate data compliance management system in place

It is advised that companies that are in a position to do so may tailor their compliance systems in line with legal requirements and features of their business, while avoiding these systems being mere formalities. The establishment of a criminal compliance system will help to mitigate risks effectively for companies and their senior management employees, and avoid the risks of triggering a criminal case.

Specifically in terms of data compliance, it is recommended that companies strengthen the construction of internal control mechanisms for data compliance, for example, by setting up a data compliance management department, formulating and continuously improving data compliance plans, strengthening compliance supervision for data collection and use in business activities, and providing regular education and training for employees, so as to eliminate blind spots in internal management.

2. Data compliance emergency plan for unexpected situations

It is recommended that when the company is investigated by the public security or the procuratorial authorities, external counsels should be engaged in a timely manner to respond to the situation for the purpose of mitigating criminal risks.

Where it is assessed that there is a relatively high probability of an offence being established, consideration should be given to using the plea procedure and applying for criminal compliance procedures to secure a non-prosecution decision, similar to the situation in the above case.

3. Professional team to assist with compliance rectification

During the compliance supervision period, for the purpose of effectively collaborating with the evaluation conducted by the supervision panel, lawyers and other professionals should be engaged to participate in the implementation and evaluation of the compliance plan, with a view to effectively implementing the compliance rectification commitments.

After receiving the non-prosecution decision, it is vital for companies to strengthen their awareness of data security risks and operate in compliance with laws, regulations and standards, to avoid recurrence of the issue.

To understand more about data protection in China, and China's first data security criminal compliance case, please get in touch with Ivy Liang.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.