In May 2022, Putuo District People’s Procuratorate in Shanghai held a public hearing on its proposed decision not to prosecute a company for alleged illegal acquisition of data in computer information systems. The hearing concluded that the non-prosecution decision was appropriate on the ground that the company implemented adequate compliance measures.
This is the first reported case where the procuratorate has decided not prosecute a company for data protection and cybersecurity offence on the basis of compliance evaluation. In this article, we look into the legal framework and the case and set out our observations.
Criminal offences relating to data protection and cybersecurity
The Criminal law provides for several criminal offences relating to data protection and cybersecurity, including illegal intrusion into computer information systems, illegal acquisition of computer information system data, violating personal information of citizens, refusing to perform information network security management obligations, and illegal use of information network.
Notably, companies that have committed such crimes will also be penalized, and the senior managers and personnel directly responsible for the offence may also be charged with relevant crimes.
China’s Supreme People’s Procuratorate (“SPP”) rolled out a scheme, under which prosecutors may decide not to prosecute an enterprise suspected of committing crimes, if the enterprise can demonstrate that it has implemented a compliance system satisfactory to the prosecutors and an independent third-party organisation within a specified period (“Corporate Non-Prosecution Scheme”).
In March 2020, the SPP launched the first phase of a pilot program of the Corporate Non-Prosecution Scheme at six local procuratorates. In April 2021, the SPP launched the second phase of the pilot program in ten provincial-level procuratorates and introduced a workplan to establish a third-party supervision and evaluation mechanism, whereby a group of third-party institutions will assess and evaluate whether the enterprise concerned has fulfilled its compliance commitments.
In June 2021, the SPP, jointly with other ministries, issued an official opinion setting out details of the operation and procedures of the third-party supervision mechanism (“Official Opinion”).
Corporate non-prosecution scheme
Under the pilot program, local procuratorates are empowered to published their own implementation rules of the Corporate Non-Prosecution Scheme, but nationwide unified rules have yet to be formulated.
We summarise below the application scope and procedures of the Corporate Non-Prosecution Scheme based upon the Official Opinion and the implementing rules published by a district procuratorate in Shanghai.
The Corporate Non-Prosecution Scheme normally applies to crimes punishable with less than three years’ imprisonment. Besides, the relevant cases must also meet the following conditions:
- the facts of the crimes are clear and the evidence is sufficient;
- the enterprise and individuals suspected of committing crimes voluntarily plead guilty and accept the penalties;
- the relevant enterprise maintains normal operation and production and undertakes to establish and improve its compliance system;
- the relevant enterprise voluntarily subjects itself to the third-party supervision mechanism; and
- the relevant enterprise has taken or promised to take remedial measures, such as returning illicit income, compensating for losses, paying delinquent taxes, and restoring the environment.
In the following circumstances, the Corporate Non-Prosecution Scheme does not apply:
- the criminal acts have caused tremendous amount of economic loss or has a negative social impact;
- the enterprise has been subject to criminal penalties or heavier administrative penalties for acts of the same nature;
- individuals established the enterprise for the purpose of committing illegal activities;
- the enterprise has committed crimes as its main activities after establishment;
- the personnel of the enterprise committed crimes in the name of the enterprise without its authorisation; and
- organised crimes, national security related crimes or terrorism-related crimes have been committed.
The procedures of the Corporate Non-Prosecution Schedule are as follows:
- Initiation: the procuratorate assesses whether the Corporate Non-Prosecution Scheme may apply to the case and formulates an investigation report.
- Compliance commitments: the enterprise makes the compliance commitments in writing, as requested by the prosecutor.
- Opinions gathering: the procuratorate should listen to the opinions of investigation authorities, victims and their legal representatives, criminal suspects, and the responsible persons of the enterprise.
- Application decision: the prosecutor issues the opinion on whether to apply the Corporate Non-Prosecution Scheme, taking into account the investigation report, the compliance commitments, the opinions of relevant stakeholders, etc. Upon the approval of the chief prosecutor, the procuratorate will start to conduct compliance inspections.
- Compliance plan: the enterprise is required to prepare a comprehensive compliance workplan.
- External supervision: where necessary, the procuratorate may designate prosecutors or initiate the third-party supervision mechanism to evaluate the compliance status of the enterprise.
- Public hearing and final decision: the procuratorate will organise a public hearing to determine whether the compliance measures implemented by the enterprise justify a decision for non-prosecution.
I. Facts of the case
In the reported case, a company Z (“Company Z”) illegally obtained data for business purposes from an online takeaway platform without authorization, which caused direct economic losses of more than RMB 40,000 to the takeaway platform.
After investigation, the procuratorate determined to initiate the Corporate Non-Prosecution Scheme for the case on the ground that:
- the extracted data did not involve personal information;
- Company Z did not sell the extracted data to any third party for profit;
- the relevant personnel of Company Z staff all voluntarily pleaded guilty; and
- Company Z was willing to compensate for losses and obtained victim’s forgiveness.
The Putuo District Procuratorate provided detailed guidance to Company Z for its compliance commitments. The recommendations proposed by the procuratorate mainly include:
- Establishing a data compliance system:
- setting up a dedicated data compliance management department;
- developing and continuously improving the data compliance plan to eliminate internal management blind spots, with particular attention devoted to source of data.
- Enhancing the capability to identify and mitigate date compliance risks:
- standardising the reporting and approval process;
- establishing a compliance assessment mechanism on technology applications to avoid technology abuse.
- Facilitating robust data compliance operations：
- establishing a data compliance consultation mechanism and a data non-compliance detection mechanism;
- establishing a data classification and grading system; and
- establishing a staff management system for data security.
In light of the above recommendations, Company Z took remediation actions and engaged legal advisors to formulate a data compliance rectification plan.
The third-party inspectors involved in this case was composed of experts from the Cyberspace Administration of China, a well-known Internet security company and an industrial organisations. The third-party inspectors supervised the data compliance rectification work of Company Z through inquiries, on-site interviews and investigations, document review and training sessions. Upon expiry of the inspection period, the third-party inspectors were of the opinion that the compliance measures taken by Company Z were satisfactory.
Key takeaways for the companies are twofold. Companies that have been suspected of committing data-related criminal offences can seek a non-prosecution decision from the procuratorate, if it meets the requirements under the Corporate Non-Prosecution Scheme.
More importantly, companies should establish and continuously improve their data compliance system to avoid data and cybersecurity breaches and demonstrate to the authorities that adequate compliance measures have been taken in the event of such breach.
We set out below a roadmap to help companies to address data compliance risks:
- Risk identification: carry out data mapping to understand specific processing activities and identify risks based on the results of the mapping exercises.
- Risk assessment: analyse compliance risks in light of the likelihood of occurrence and severity as well as the company’s business scope, business scale, structure of the organisation and market environment, etc.
- Risk response: implement appropriate response measures to mitigate risks, formulate data incident responsive plans in advance, and, if a suspected crime has occurred, report such incident to the public security authorities in a timely manner.
- Risk monitoring: set up dedicated data compliance departments or at least integrate data compliance functions into the existing organisational structure, and continuously improve data compliance through measures, such as regular audits and awareness training.