Criminal law protection of personal information in China in the context of building a social credit system
The article analyzes the norms of criminal law, which enshrine the protection of personal information in the People's Republic of China. The trends of law enforcement practice in criminal cases, the subject of which is personal data, are investigated. The increased criminal law protection of personal information of Chinese citizens is due to the emergence of a social credit system. The article examines the features of the functioning of the social credit system, as well as the impact of this system on the rights and freedoms of the individual in the context of digitalization. The interest in the system under consideration is due to the significant influence that the PRC has on the formation of the legal culture of other countries. The author concludes that a significant degree of state intrusion into the private space of citizens correlates with effective measures to protect personal information. Using the example of China, we see the desire of the state to protect the personal data of citizens, including through criminal legal means. At the same time, cases of law enforcement are becoming more common, especially in criminal law.
Keywords: social credit system; confidentiality; identification; personal information; identifying information; illegal sale of personal data; identity theft; privacy; privacy; social rating; blacklist.
The Criminal Code of the People's Republic of China, adopted in 1997, initially did not provide for norms that would establish the protection of personal data. In 2009, for the first time in Chapter 4 "Crimes against the rights of the individual, the democratic rights of citizens" of the Criminal Code of the People's Republic of China, the crime of "sale or illegal provision of personal data" was included <1>. The Standing Committee of the Eleventh National People's Congress adopted the seventh amendment to the Criminal Law, providing for Article 253 (a) of the Criminal Code of the People's Republic of China. This amendment has become the most widely used legal instrument to ensure the protection of privacy in China <2>.
--------------------------------
<1>
<2> De Hert P., Papakonstantinou V. The Data Protection Regime in China. In-Depth Analysis // Brussels Privacy Hub Working Paper. 2015. Vol. 1. N 4. P. 15.
The Chinese legal doctrine positively evaluates the changes in the criminal legislation of 2009 on the protection of personal information. In particular, it is stated that "the seventh amendment to the Criminal Law expands the protection of personal information in China. At the moment, this is the only law providing for the protection of personal information. Other laws usually mention the need to protect privacy in very general terms and along the way (in one phrase or one sentence), or they are aimed at protecting certain categories of data." <3>
--------------------------------
<3> Wu Y. Personal data protection in e-government: Globalization or glocalization? A comparative study of the United States, Germany and China, 2010.
In the 2009 edition, Article 253 (a) of the Criminal Code of the People's Republic of China provided for criminal liability for the illegal sale or illegal provision of personal information of citizens obtained in the course of performing duties or providing services by government officials or employees of financial telecommunications, transport, educational, medical and other institutions, as well as for theft or illegal receipt of the above information in another way.
Due to the fact that the legislative definition of the category of "personal information" was given only in 2017 in the Law on Cybersecurity <4>, this gave rise to many doctrinal disputes, as well as practical questions regarding the content of this category.
--------------------------------
<4> According to Article 76 of the said Law, the term "personal information" means various information recorded electronically or by other means that can identify the identity of an individual separately or in combination with other information, including, but not limited to, the name of an individual, date of birth, identification number, biometric information, residential address, phone number , etc .
In particular, there was no consensus on whether the content of the concepts of "personal information" and "confidential information" was identical. Professor Zhao Bingzhi points out <5> that personal publicly available information can also be subject to criminal law protection in accordance with Article 253 (a) of the Criminal Code of the People's Republic of China. "Despite the fact that some personal information may be publicly available, it should still be subject to criminal law. The harm of information leakage is that the guilty person who illegally uses personal information can exclude the victim from a variety of social relationships by "blocking" him. The criminal law protection of personal information is not only the protection of privacy, but also, more importantly, the protection of public order from possible harm due to information leakage." <6>
--------------------------------
<5>
<6>.
In 2016, a scientific and practical study was conducted in the Shanghai Court, the subject of which was personal information. When analyzing 125 criminal cases on the illegal use of personal information, the following conclusions were drawn <7>.
--------------------------------
<7>
1. The courts, by defining the personal information of citizens in a complex and diverse way, cover almost all aspects of private life. Thus, the courts regarded the following types of information as personal information: 1) identification information, including name, phone number, address, information about family members, information about mobile registration; 2) information about property, including bank accounts, vehicle, real estate and financial transactions; 3) information about the location of a person, including placement in about the hotel, about air travel, about the parking space; 4) information about education, 5) call details, 6) information about transactions and other types of information.
2. Many concepts of personal information that have developed in the legal doctrine of China can be presented in the form of: a) theories of association; b) theories of confidentiality and c) theories of identification.
Association theory considers personal information in a broad sense - it is any information related to a person for any reason. This concept covers all types of social relations and includes the widest amount of information in the content of the concept of "personal information", for example, information about a car or any other property belonging to a person.
Privacy theory defines personal information as information of a confidential nature that a person does not wish to distribute. For example, for most members of society, their own biometric data, such as height or weight, is not classified information. However, some people tend to keep this information confidential.
Due to the fact that some people consider certain information confidential, while others do not object to its disclosure, the criterion of "confidentiality" cannot underlie the definition of personal information.
Identification theory refers to the personal information of citizens information that identifies the identity of a citizen, such as name, occupation and profession, position, age, marital status, education, etc. Therefore, the use of the identification concept reflects the most adequate (from the point of view of criminal law protection of personal information) scope of this category.
3. Personal data directly or indirectly identifying a person differs from each other in the degree of identification. In this regard, not any such information individually (let's call it conditionally a "unit of information", for example, 10 surnames of citizens represent 10 units of personal information; one person's home address is 1 unit of information) can be the subject of criminal law protection. Thus, the following groups of identifying information can be distinguished:
a) information that is unique to a particular person (for example, identification number and biometric data). By means of one unit of such information, an unmistakable identification of an individual is possible. Obviously, this type of information has the highest degree of identification;
b) information belonging to a specific person, but having the property of being duplicated and repeated. For example, name, phone number, transaction details. This type of information has a high identification efficiency, but it cannot accurately identify a specific person due to the possibility of repetition. For example, using a name and phone number, you can identify a person within a certain area. But when the search range increases, the effectiveness of such information will be significantly reduced. Consequently, individual units of such information are not subject to criminal law protection, due to the fact that there is no accurate identification of the person.
Judicial practice shows that the combination of a name and a phone number is the minimum requirement for granting information the status of legally protected personal information;
c) information that characterizes a person as a member of certain social groups. For example, age, occupation, education, etc. The identification efficiency of this type of information is the lowest. Therefore, even if the category of information in question combines a lot of information, by itself it cannot meet the standard of identifiability.
Traditionally, China's criminal law doctrine is based on the theory of four-element corpus delicti <8>. In this regard, it seems reasonable to consider objective and subjective signs of a crime against personal information.
--------------------------------
<8> Moons H. The corpus delicti in the criminal law doctrine of China // Lex russica (Russian Law). 2016. N 9. pp. 129 - 135.
Chapter 4 "Crimes against the rights of the individual and the democratic rights of citizens" of the Criminal Code of the People's Republic of China, which establishes the composition of the crime in question, indicates that the crime against personal information primarily damages the rights of the individual. The position seems to be correct, according to which the direct object of the crime in question is the right to the security of personal information of individual citizens <9>. This right is an element of the right to privacy. According to art. 1034 of the Chinese Civil Code <10> the provisions on the right to privacy apply to personal information. Despite the fact that the purpose of protecting personal information is, among other things, to prevent further crimes and violations of citizens' rights caused by information leakage, "personal interests take precedence over public and legal interests in crimes against personal information" <11>.
--------------------------------
<9>
<10>
<11>
The objective side of the crime under Article 253 (a) of the Criminal Code of the People's Republic of China is characterized by the following alternative actions: 1) the sale or illegal provision of personal information, as well as 2) theft or other methods of illegally obtaining personal information.
According to the official judicial interpretation <12>, illegal provision of personal information includes any cases of its dissemination in the absence of the consent of the data subject. In addition, the provision of information refers to the dissemination of such information on the Internet.
--------------------------------
<12>
Looking ahead a little, we note that in 2015, the Ninth Amendment to the Criminal Code of the People's Republic of China excluded the word "illegal" in relation to the sale or provision of information. It is noted that the sale or provision of personal information in the absence of a legitimate basis and/or consent of the data subject is illegal in nature. Accordingly, the term "illegal" does not refer to the methods or any other circumstances of selling personal information <13>.
--------------------------------
<13>
Other methods (with the exception of theft) of illegally obtaining personal information include its purchase, gratuitous receipt, exchange, as well as the collection of personal information, for example, in the process of providing services.
The subject of the criminal encroachment in question, Article 253 (a) of the Criminal Code of the People's Republic of China, as amended in 2009, could be individual individuals; civil servants or employees of financial telecommunications, transport, educational, medical and other institutions, as well as legal entities engaged in these industries. The subjective side of the crime in question is characterized by an intentional form of guilt.
The first criminal case <14> under Article 253 (a) of the Criminal Code of the People's Republic of China was initiated in 2009 against the accused H. from Zhuhai, who illegally acquired a telephone call log of local government officials and then sold it to fraudsters. The latter, posing by phone as officials allegedly in an emergency situation, received money transfers from friends or relatives of the victims. Kh. was sentenced to 18 months in prison and fined.
--------------------------------
<14> Greenleaf G. Asian Data Privacy Laws - Trade and Human Rights Perspectives. Oxford University Press, 2014. P. 199.
The content of Article 253 (a) of the Criminal Code of the People's Republic of China as amended in 2009 was characterized by uncertainty, which caused further improvement of the norm.
Firstly, as already mentioned above, at the time of the introduction of the corpus delicti in question, there was no accurate understanding of the scope of protection of personal information of citizens.
Secondly, problems in law enforcement practice were caused by an open list of corporate activities that could be subject to a criminal ban ("government, financial, telecommunications, transport, educational and medical institutions, etc."). There was no understanding of whether this list should include only the listed areas of activity of legal entities or whether it should include other types of institutions providing services to the public. In this regard, Chinese jurist Zhou Hanhua points out <15> that in the judicial practice of different regions, the understanding of the crime under study was heterogeneous. In some regions, an interpretation was used according to which the subject was limited exclusively to the fields of activity listed in the article. This certainly limited the protection of personal information. At the same time, in judicial practice, there was also an opposite approach <16>, extending the scope of Article 253 (a) of the Criminal Code of the People's Republic of China to the spheres of activity of companies not directly named in the article (for example, express delivery).
--------------------------------
<15>
<16> Livingston S., Greenleaf G. China Whys and Wherefores - Illegal Provision and Obtaining of Personal Information Under Chinese Law, 2014.
Thus, the imperfection of the wording of Article 253 (a) of the Criminal Code of the People's Republic of China necessitated its clarification. The uncertainty of the criminal law prohibition negatively affected the uniformity of judicial practice, as well as created qualification problems.
In the following case, the problem of determining the areas of activity of companies subject to a criminal law ban caused an inaccurate qualification of a criminal act. Thus, Peter Humphrey and his wife were convicted under Article 253 (a) of the Criminal Code of the People's Republic of China <17>. Peter was the head of ChinaWhys Co, a company that specialized in providing consulting services. In July 2013, the police detained the couple and then accused them of illegally obtaining personal information. The couple allegedly acquired personal information from marketing companies, which was subsequently provided to their clients in the form of reports prepared for them. The information included 256 pieces of personal information (800 - 2,000 yuan per entry), including information about hukou (residence permit), movements and location.
--------------------------------
<17> Livingston S., Greenleaf G. Op. cit. P. 1.
The couple were found guilty of illegally obtaining personal information. The absence of "illegal provision or sale" in the charge is explained precisely by the inaccuracy of the law. Thus, marketing companies went beyond the industries covered by Article 253 (a) in the 2009 edition.
Peter Humphrey was sentenced to two and a half years in prison and fined 200,000 yuan (about $32,000). His wife, Yu Yingzeng, was sentenced to two years in prison and fined 150,000 yuan (US$24,000).
On November 1, 2015, the Ninth Amendment to the Criminal Code of the People's Republic of China <18> came into force, strengthening the protection of personal information. Firstly, the scope of the criminal law ban was extended to all areas of public and private institutions (as mentioned above, the article in question in the 2009 edition defined the list of areas of activity of corporations in respect of which criminal liability was established). Secondly, the amendment increased the maximum penalty to seven years in prison if the circumstances of the crime are particularly serious.
--------------------------------
<18>
Thus, Article 253-1 of the Criminal Code of the People's Republic of China, as amended in 2015, established criminal liability for the illegal sale or provision to third parties of personal information of citizens obtained in the course of performing duties or providing services, and theft or otherwise illegally obtaining personal information of citizens.
The above-mentioned acts constitute a crime in the presence of serious circumstances and are punishable by imprisonment for up to 3 years, or arrest, or a fine (as an additional or main punishment). In the presence of particularly serious circumstances, a custodial sentence may be imposed for up to 7 years <19>.
--------------------------------
<19> Lotus R. Diminishing Rights: China's Data Laws and Regulations. Australian Strategic Policy Institute, 2018. P. 7 - 9.
According to Article 30 of the Criminal Code of the People's Republic of China, corporations are the subject of criminal liability <20>. In this regard, if the above crimes are committed by a corporation, then a fine is imposed as punishment, and individuals directly responsible for committing acts are punished independently within the limits of the sanction established by the article.
--------------------------------
<20> According to Article 30 of the Criminal Code of the People's Republic of China, companies, enterprises, organizations, institutions, collectives engaged in activities dangerous to society, based on the provisions established by the Criminal Code of the People's Republic of China for crimes committed by organizations or institutions, must be criminally liable.
An important event in the field of criminal law protection of personal information was the publication on May 9, 2017. The Supreme People's Court and the Supreme People's Prosecutor's Office of China have issued joint clarifications <21> on the application of the law in criminal cases concerning the misuse of personal information of citizens.
--------------------------------
<21>
Article 1 of the clarifications states that personal information of citizens is information provided in electronic or other format through which an individual can be identified directly or through which a person can be identified in combination with other information, in particular name, identification document number, contact information, address, account password, property status, location, etc . As can be seen from the presented definition, the highest state authorities of the People's Republic of China have chosen a fairly broad approach to the interpretation of personal data.
Serious circumstances, in the presence of which there is a corpus delicti, include the following <22>:
1) provision of personal information for the purpose of criminal activity by third parties;
2) illegal receipt or provision of more than 50 pieces of personal information about the location, credit information or property of the victim;
3) illegal receipt or provision of more than 500 pieces of personal information (for example, information about the place of residence, health status, transactions, etc.);
4) illegal receipt or provision of more than 5,000 pieces of personal information that do not meet the above criteria;
5) illegal income from the sale or provision of personal information exceeds 5,000 yuan;
6) the sale or provision of personal information obtained in the performance of official duties or the provision of public services, the number of units of which exceeds half of the upper limit specified in paragraphs 2-4;
7) repeated involvement of a person who has been subjected to administrative responsibility or criminal punishment for violating the legal regime of personal information of citizens within two years.
--------------------------------
<22> It should be noted that the list of such circumstances is open and their definition is left to the discretion of the court.
Yang Feng, a researcher in the field of data protection, points out that a notable feature of the protection of personal information under Chinese criminal law is the low thresholds for criminalizing the misuse of personal data. Thus, according to the judicial interpretation, a serious circumstance in which the corpus delicti is carried out is the illegal receipt or provision of more than 50 pieces of personal information. This is information about the location, credit information or property of the victim. For less important data, from the point of view of the Chinese legislator, such as information about the place of residence, health status and financial transactions, an increased minimum amount required for criminal prosecution has been determined - 500 units. For other personal data, the minimum amount is set at 5,000 units. If the offender is an employee of a government agency or provides public services, the threshold is even lower. For them, the minimum amount of data is half of the specified minimum amount <23>.
--------------------------------
<23> Feng Y. The future of china's personal data protection law: Challenges and prospects // Asia Pacific Law Review. 2019. Vol. 27. N 1. P. 62 - 82.
According to the explanations, the circumstances are considered particularly serious in the following cases:
1) causing serious consequences, such as death, serious harm to health, mental disorder or kidnapping of the victim;
2) causing major property damage or adverse social consequences;
3) the number of units of personal information exceeds by more than ten times the value of any of the thresholds provided for serious circumstances;
4) other situations where the circumstances are particularly serious.
According to Article 11 of the clarifications, in case of illegal receipt and then sale of a citizen's personal data, the number of units of such information is not counted twice. However, if the same personal information is sold to different corporations or individuals, then the number of units of such information is calculated cumulatively.
The court appoints punishment taking into account the amount of damage caused by the crime, the amount of illegal income received as a result of the commission of the crime, the presence of a criminal record of the accused, the presence of remorse and other circumstances.
Thus, it can be noted that China is currently making more and more efforts to protect the personal information of citizens, including by imposing fairly strict sanctions for criminal encroachments on personal information.
For example, in 2016, Zhou Bincheng acquired more than 1.93 million pieces of personal information of students. He later sold the information for 65,400 yuan. The Pinghu City People's Court, taking into account the confession, sentenced Zhou Bincheng to imprisonment for one year and 11 months, as well as to a fine of 40,000 yuan. Those who bought students' personal data were also sentenced to imprisonment and a fine <24>.
--------------------------------
<24>
In another case, Xia Fuxiao <25> sold personal data about online purchases containing the names of citizens, delivery addresses, mobile phone numbers and other information. The culprit made an illegal profit of about 50,000 yuan. The Shaoxing City People's Court sentenced Xia Fuxiao to two years in prison and a fine of 2,000 yuan.
--------------------------------
<25>
According to statistics from the Ministry of Public Security of the People's Republic of China, in 2020, more than 3,100 criminal cases of encroachment on personal information of citizens were registered <26>.
--------------------------------
<26>
Based on the analysis of the legislation of the People's Republic of China and the practice of applying Articles 253-1 of the Criminal Code of the People's Republic of China, it can be concluded about the established approach to providing criminal protection of personal information of citizens. At the same time, it seems that the reasons for the emergence of this approach are due to the emergence of a social credit system (hereinafter - SCS), which massively accumulates personal data of citizens. Based on the data obtained, the behavior of citizens is either encouraged or censured with restrictions. The launch of the social credit system was officially announced in 2014. in the "Plan for the construction of a social credit System for 2014-2020" <27>.
--------------------------------
<27> On June 14, 2014, the State Council issued a Notification to the State Council on the release of a Plan for the construction of a social credit system (2014-2020). Compared with the 2007 document of the State Council, the 2014 document gives a more detailed picture of the construction of a unified social credit system. It should be noted that until 2014, pilot social credit programs were implemented in China at the regional level. For example, in 2010, a "mass lending" experiment was conducted that measured and evaluated individual behavior. Initially, 1,000 credit points were issued to citizens, which could be written off for violating certain legal, administrative and moral norms. For example, drunk driving cost 50 points, having a child without family planning permission cost 35 points, and non-repayment of a loan cost from 30 to 50 points. The lost points could be restored after a period of time: from two to five years, depending on the rule violated and the severity of the violation. Based on the points received, the citizens were divided into categories from A to D. See more details: Creemers R. China's Social Credit System: An Evolving Practice of Control. P. 10.
The SCS has some similarities with credit ratings that exist in other countries, but it allows you to get information related to almost all spheres of life of Chinese citizens. "The system is aimed at assessing the "reliability" in compliance with legal and moral norms, professional and ethical standards" <28>.
--------------------------------
<28> Chen Y., Cheung A. The Transparent Self Under Big Data Profiling: Privacy and Chinese Legislation on the Social Credit System // The Journal of Comparative Law. 2017. Vol. 12. N 2. P. 356.
In the absence of a single legislative definition of the term "social credit" <29>, there are many doctrinal approaches to its interpretation. Gu Mingkang, a lawyer from Xiangtan University, points out <30> that in a broad sense, social credit means the objective ability and subjective willingness of a citizen to fulfill social obligations.
--------------------------------
<29> Drinhausen K., Brussee V. China's Social Credit System in 2021: From fragmentation towards integration, 2021.
<30>
Within the framework of the SCS, public authorities and private companies exchange credit information about violators. The mechanism of such interaction, as well as a number of consequences for violations (restrictions on leaving the country, buying real estate, traveling on high-speed trains, staying in a hotel above standard class) was established in 2016 by the State Council of the People's Republic of China in a Decree "On a joint disciplinary system" <31> (the so-called mechanism of joint punishment).
--------------------------------
<31>
The essence of the mechanism of joint punishment lies in the fact that citizens who violate trust in the field of activity of one department and are blacklisted are denied services by other bodies or companies. The result of such a partnership, for example, was that by the beginning of 2017, 6.15 million citizens were deprived of the opportunity to buy air tickets. As a result of being blacklisted, violators not only cancelled business deals, but also broke up marriages due to the destruction of reputation <32>.
--------------------------------
<32> Chen Y., Cheung A. The Transparent Self Under Big Data Profiling: Privacy and Chinese Legislation on the Social Credit System // The Journal of Comparative Law. 2017. Vol. 12. No 2. P. 366 - 367.
Without giving an assessment of the social credit system that is developing in China, we emphasize that the personal data of citizens are the object of close attention of the public and the state. The decision to include a citizen in the blacklist is made by government agencies on the basis of personal information, which entails a number of negative restrictions. It seems that these trends have prompted the legislator to pay increased attention to the protection of personal data, including through criminal legal means.
Thus, it can be concluded that the increased criminal protection of personal information of Chinese citizens is due to the emergence of a social credit system. This system involves the accumulation of information from the public and private sectors related to all spheres of life of Chinese citizens. A significant degree of state intrusion into the private space of citizens correlates with effective measures to protect personal information. Using the example of China, we see the desire of the state to protect the personal data of citizens, including through criminal legal means.
