On February 28, 2009, the Chinese legislature enacted the Amendments to the Criminal Law of the People’s Republic of China (VII), which include an article (Article 7) that criminalizes, for the first time, the sale and other illegal transfers of personal information by employees of government agencies and other institutions. In the absence of an overarching statute safeguarding personal information, this amendment to China’s penal code offers the strongest legal protection of the privacy of personal data to date.  

According to Article 7, if employees of government agencies, or of financial, telecommunication, transportation, educational, health care, or other institutions, sell or unlawfully provide personal information obtained while the institutions were performing their duties or providing services to others in violation of state regulations, they will be subject to up to three years of imprisonment or criminal detention, and/or other penalties if the violation is serious.  

According to Article 7, this punishment also applies to people who steal or otherwise illegally obtain the aforementioned information. In addition, if the institutions act as the offenders, they will be subject to penalties, and the supervisors directly in charge and other directly liable persons will be punished accordingly.  

Article 7 marks an important development in the protection of personal information in China. However, some lawmakers and political advisors believe that it has apparent loopholes and deficiencies. First, the law fails to define what constitutes “personal information,” which renders the enforcement and the precise impact of Article 7 dubious.  

Second, this amendment only criminalizes the sale or unlawful transfer of personal information that violates relevant state regulations. Therefore, the enforcement of Article 7 is dependent on the interpretation of other regulations concerning the transfer of personal information, which leaves ample room for ambiguity.  

Third, Article 7 enumerates only government agencies and certain other institutions. While it leaves room for the punishing of “other” institutions and their employees, it does not offer meaningful guidance on what “other” institutions it may encompass. In reality, there are many other institutions that may legitimately collect and use personal information, such as Internet service providers, hotels, law firms, accounting firms, real estate agencies, retailers, and membership clubs, and they may illicitly sell or otherwise unlawfully transfer the information to others.  

In fact, in a survey conducted in 2008 by the China Youth Newspaper, an influential national newspaper in China, the public considered telecommunication institutions, job Web sites and recruiting agencies, and various intermediary agencies as the top three actors in leaking personal information. However, Article 7 fails to define the scope of the institutions more precisely and comprehensively, which may lead to difficulties in its enforcement and frustration among the public.  

Fourth, Article 7 addresses only the sale of or other unlawful provision of personal information to others, and the illegal attainment of personal information by stealing or other means. However, there are other acts that jeopardize the security of personal information, such as the illicit collection, storage, processing or use of personal information; Article 7 does not bring these harmful acts under the penal code’s purview.  

In addition, some judges and legal scholars in China have expressed their concerns over the enforcement of Article 7. One criticism is that it only penalizes severe violations, but the practical difficulty is how to define what constitutes severe violations. In practice, the Supreme People’s Court of the PRC will issue specific judicial interpretations and further clarifications after a period of time.  

Some believe that a more pressing task is to enact a separate Citizens’ Personal Information Protection Law. To date, China does not have a statute that is directly pointed to the protection of personal information. Rather, sporadic provisions concerning personal information protections are seen in various laws, including the Constitution, the Criminal Law, telecommunication regulations, administrative regulations, and so on.  

In 2003, the State Council of the PRC asked a group of legal experts to start the preliminary drafting work of the Personal Information Protection Law, which was completed in 2005. Since the summer of 2008, the State Council has been reviewing the draft statute compiled based on the experts’ draft before submitting it to the Chinese legislature. However, the draft is not expected to be debated by the national legislature anytime soon.  

In recent years, China has seen rising public outcries against personal data leaks. Thus, despite its potential inadequacy, Article 7 signifies that Chinese legislators are responding to the public’s distress. To offer more expedient remedies while the comprehensive personal information protection law is pending, lawmakers may consider issuing low-level regulations to provide civil and administrative protection for individuals’ privacy.

For an additional article relating to privacy issues in China, see Privacy Briefing, Issue 1 (February 2008