On August 29, 2015, China’s legislature, the National People’s Congress, amended the Criminal Law, effective November 1, 2015. Among other things, the amendments modify and add several provisions related to data privacy and cybersecurity. We discuss some of these key amendments below.

• Expanded criminal sanctions for illegal sale or provision of personal information. Previously, criminal sanctions for selling or providing personal information applied only to government personnel and certain sectors such as finance, telecommunications, transportation, education, and healthcare. Article 253 as amended now applies criminal sanctions to anyone who, in violation of relevant State rules, sells or provides the personal information of others if the circumstances are serious. The crime is punishable by fixed-term imprisonment of no more than three years and/or a fine. If the circumstances are “extremely serious,” the penalties are more severe: three to seven years imprisonment, plus a concurrent fine. The new amendments also provide that those who, in violation of relevant State rules, sell or provide personal information obtained in the course of conducting professional duties or providing services shall face penalties on the harsher end of the ranges described in the preceding paragraph.

• New penalties on internet service providers. Under the new Article 286(a), network service providers (and responsible individuals therein) who fail to fulfill “information network security administration duties prescribed by laws and/or administrative regulations” and refuse to take remedial measures ordered by regulatory authorities face criminal liability — fixed-term imprisonment of no more than three years, criminal detention, or public surveillance, with a fine either concurrently with such punishment or in lieu thereof — if one of the following circumstances occurs: (1) illegal information is widely disseminated, (2) user information is divulged and the circumstances are serious, (3) evidence in a criminal case is lost and the circumstances are serious, or (4) other “serious” circumstances are involved. We understand the term “network service provider” to include both internet service providers (e.g., telecom companies) and internet content providers (including websites). While the breadth of the term “serious” creates certain challenges to interpretation, these new provisions are consistent with the Chinese government’s recent focus on disciplining activities in cyberspace.

• Criminal liability for conducting and facilitating certain online activity. A new Article 287(a) explicitly provides criminal penalties for those who use information networks to (1) establish websites or communication groups to engage in illegal or criminal activities, (2) publish illegal information such as pornography or information regarding prohibited items (e.g., guns, illegal drugs), or (3) publish other information for the purposes of engaging in fraud or other illegal activities. Under a new Article 287(b), criminal penalties also may be applied to those who, with clear knowledge that another individual is using an information network to commit a crime, provides internet access, storage, hosting, or other technical support, or provides advertising, settlement of payments, and any other assistance for such crime.

These amendments come amidst a series of significant developments in China’s data protection and cybersecurity regime. (See, for example, our post on China’s recently published draft Network Security Law here, and another specifically on the implications of that draft law for data privacy in China here.)