On 29 August 2015, the National People’s Congress enacted the Ninth Amendments to the PRC Criminal Law. The enactment followed two rounds of public consultation, for which draft amendments were released in November 2014 and July 2015. The amendments will become effective on 1 November 2015.

Among other things, the amendments concern both the anti-corruption and data privacy areas, suggesting the continued focus by the PRC authorities on these areas of law and the desire to bring PRC legislation in line with international standards.

Anti-corruption Regime

There are several aspects of the PRC anti-corruption regime where the amendments will have an impact:

  • A new paragraph was added in Article 390 of the PRC Criminal Law to impose liability on persons who offer bribes to close relatives of, or any person close to, current or former state personnel.
  • Amendments have been made to Articles 390 – 393 of the PRC Criminal Law (public sector bribery) and Article 164 of the PRC Criminal Law (private sector bribery) to allow fines to be imposed on individuals convicted of bribery, including on employees of a unit that are responsible for bribe payments made by the unit. Under the pre-amendment regime, individuals were generally only subject to imprisonment for violations.
  • Conditions under which self-reporting will mitigate or exempt liability for bribery violations have been clarified. In particular, when the underlying crimes are relatively minor and the offenders have assisted with exposing corrupt activities of others, liability may be mitigated or exempted. Otherwise, offenders who self-report will be entitled to lenient treatment but cannot be completely exempted from liability.

Data Privacy

There were considerable amendments to Article 253-1 of the PRC Criminal Law, which concerns the sale or provision of personal information. Previously, the provision targeted statutory violations by employees in certain industries where the employees were likely to have extensive access to personal data, such as finance, telecommunications, transportation and healthcare. Article 253-1 also contained a more general provision not limited to employees in specific industries where the personal information was obtained in violation of PRC law.

The amended Article 253-1 simply provides that anyone who sells or provides personal information to third parties is subject to punishment. Moreover, there have been changes to the extent of the punishment applicable. Previously, a violation under "serious circumstances" was punishable by imprisonment of less than three years (or detention), and/or criminal fines. The new provision increases the imprisonment component of the penalty to between three and seven years for violations that constitute "very serious circumstances." Even harsher penalties may be imposed on persons who violate the provision in the course of employment.

The amendment also added a particular provision, Article 286-1, to impose an affirmative obligation on network service providers to comply with “information network safety administration obligations” as provided under relevant laws or regulations. If failure to comply with such obligations results in (i) the wide dissemination of illegal information; (ii) a leak of user information that leads to serious consequences; (iii) the loss of evidence for criminal cases; or (iv) other serious circumstances, the service provider is subject to criminal fines and punishment.