Companies that possess deep pools of data have the potential to reap rich rewards in today’s information age, but they must also be wary of rapidly evolving legal and regulatory boundaries that have created an escalation of criminal compliance risks.

Since the passage of the Cybersecurity Law in 2016, a series of new laws – the Civil Code, the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) – have stepped up enforcement and intensified regulation, requiring companies to exert self-discipline in ensuring compliance regarding their own core data, critical data and protection of users’ personal information.

The standards and conditions for judging the illegality of internet security offences involving crime have evolved. Here are some of the common scenarios.

Illegally obtaining, processing or selling personal information, or providing it to any third party. Under article 64 of the Cybersecurity Law and article 66 of the PIPL, companies found to have illegally obtained, processed or sold personal information, or to have provided them to any third party, will be subject to a fine, orders to cease production and operations or to the revocation of their business permit or licence. The persons responsible may also be barred from future engagement in the business. The criminal risks for companies for infringement of a citizen’s personal information can be found under article 253 of the Criminal Law.

In a 2020 judgment in Zhejiang province, an educational institution bought the personal information of more than 270,000 students, including their names, schools, phone numbers of their parents and addresses. With this information, they engaged a third party to market their education software by way of cold calls or free-of-charge tuition at home. The institution and all those involved were subsequently found guilty of infringing on citizens’ personal information.

Illegal network invasion, control of system or theft of network data or providing tools for the same. Under articles 22, 27 and 48 of the Cybersecurity Law, companies found to have planted any malware, illegally invaded any network, interfered with the regular functioning of another’s network, stolen network data or provided programs or tools aiding such actions, will have all illegal gains confiscated. Depending on the severity of the crime, those responsible face fines or administrative detention.

The corresponding risks for companies illegally obtaining data from or controlling a computer information system, or providing programs or tools aiding the illegal invasion or control of a computer information system, can be found under article 285 of the Criminal Law.

In a 2017 judgment in Beijing, an internet tech company was found using the “tt_spider” file to bypass the anti-scraping measures of ByteDance in order to scrape its video data. The company and main persons involved were found guilty of illegally obtaining data from a computer information system.

Providing technical aid or support to information cybercrimes. Under articles 27 and 63 of the Cybersecurity Law companies found to have knowingly assisted any activity endangering network security with, among others, technical support, advertisements and promotion or payment and settlement, will have all illegal gains confiscated. Again, depending on the severity of the crime, those involved will face fines or administrative detention. Article 287 of the Criminal Law provides for the corresponding corporate offences and liabilities.

In a 2020 judgment in Zhejiang province, an internet tech company, at the request of a client wishing to purchase a virtual currency trading software that manipulates price movements from the backstage, and knowing that such software could be used for illegal activities, produced the “24DCEP” digital currency trading platform for the client and provided follow-up technical support. The company and the main persons involved were found guilty of assisting information cybercriminal activities.

Potential compliance risks under intensified regulation for cross-border data transfer. Cross-border transfer of data or personal information are subject to heavy restrictions under articles 37 and 66 of the Cybersecurity Law, articles 31, 36, 45 and 46 of the DSL, and Chapter III Rules for Cross-border Provision of Personal Information under the PIPL. Security assessment and approval by the competent authority has become a prerequisite not to be neglected, especially for critical information infrastructure operators and processors of massive amounts of personal information. Depending on the severity of the situation, violators may be subject to a fine, suspension of business for rectification or revocation of business permit or licence.

Furthermore, companies should be aware that mishandling of certain sensitive information may constitute stealing, secretly gathering, purchasing or illegally providing state secrets or intelligence under article 111, or stealing, secretly gathering, purchasing or illegally providing trade secrets under article 219 of the Criminal Law. Such risks involving national security or corporate trade secrets will only grow in prominence as more eyes are drawn to data regulation and cross-border data transfer.

In addition to explicit legal prohibitions, the three laws have set out obligations that companies must strictly observe. For example, article 47 of the Cybersecurity Law sets out an operator’s duty to supervise and manage content published by users. If a company fails to make timely corrections after receiving an administrative warning for failure to perform its cybersecurity management duties, it runs the risk of being held criminally liable under article 286 of the Criminal Law.

When dealing with a gambling case in May 2021, the Chongqing cybersecurity bureau discovered that the suspect was using a mobile app platform to publish illegal advertisements such as “bank card or SIM card trading”. It was subsequently confirmed that, after receiving administrative penalties by the local public security authority in 2020, the operator of the app platform failed to make effective corrections to the in-app information.

As a result, the suspect was able to further publish more than 9,000 illegal advertisements on the platform, causing substantial damage. On 26 May, the responsible person of the platform operator was held under administrative detention for failing to perform his duty of cybersecurity management, thus breaching article 286 of the Criminal Law.