In April 2020, the Central Committee and the State Council issued the first central document on “factors of production” – the resources that businesses use to produce goods and services. Called the Opinions on Establishing a Better System and Mechanism for Market-based Allocation of Factors of Production, it expressly designates data as a major production factor. In fact, it places data on par with land, labour, capital and technology.
The Cybersecurity Law, the Data Security Law and the Personal Information Protection Law, successively issued in recent years, constitute the three major legal pillars of China’s digital economy era. They set the tone for protection and reasonable use of data and privacy.
In terms of administrative law enforcement and judicial practice, the Cyberspace Administration of China has punished various acts of illegally collecting and using personal information, while the judiciary has also intensified its crackdown on various cybercrime and data crime. In view of this, Chinese enterprises are finding it imperative to raise their awareness of data and citizen privacy protection and, even more importantly, to transform that awareness into action.
Prior to the pandemic, the author acted as counsel in two landmark network data crime cases that fully demonstrated the contradiction between the mounting judicial crackdown efforts and enterprises’ insufficient experience in data compliance. The cases also offer a valuable insight into corporate data compliance.
Case 1. A Beijing real estate agency employee used a web crawler to collect citizens’ personal information. After studying the prosecution materials, the author argued:
- The process for securing the relevant server logs was illegal;
- There were signs of alteration;
- No duplicate removal was carried out; and
- The statistical calibre was inconsistent.
Therefore, a plea of not guilty was entered on the grounds of insufficient evidence.
The court accepted the author’s core defence arguments and dismissed two central pieces of evidence, those being the investigation record and expert opinion. It imposed a shorter sentence than the prosecutor’s recommendation. The defendant admitted guilt and accepted the penalty.
Case 2. A Nanjing filmmaking company illegally obtained computer information system data by hotlinking. The case involved more than a dozen parties who, one after another, admitted guilt and accepted penalty. At the opening of the trial, the author argued that:
- There was no evidence showing that the defendants were the only subjects involved in the hotlinking; and
- There was no evidence to quantify losses sustained by the injured parties as a result.
A plea of not guilty was entered on the grounds of insufficient conclusive evidence.
Accepting the author’s core defence arguments, the court sentenced the parties to probation. This was mild compared to the prosecutor’s recommendation.
In both matters, the judges reacted similarly when facing insufficient evidence. They both adopted the method of “free evaluation of evidence”. While both imposed penalties, the penalties were lighter than recommended.
This seems to suggest that, even when a judge agrees on the argument of insufficient evidence, the defendant is unlikely to escape penalty. In the judges’ minds, the alleged criminal acts did take place but the volume of the act and the incurred losses could not be quantified.
Applying reverse-thinking of criminal defence when reflecting on the above-mentioned data crime cases, we can derive the following insights.
Corporations lack not only awareness of data compliance, but also an ability to identify illegality.
Companies guilty of data theft must establish data compliance systems. The truth is, if a crime took place during a company’s data compliance, it is conceivable that the company would not have been prosecuted, and so be spared from having a criminal record. In most such cases, whether the offence was committed by an individual or an entity, a chance can be granted to reform and rectify, as long as:
- The company is not mainly engaged in criminal activities; and
- Perpetrator admits guilt, accepts penalty.
Where a company seeks to prevent the recurrence of similar criminal offences by establishing a data compliance system, the judicial authority may waive prosecution, or treat it leniently. An experienced criminal defence lawyer may also be able to trace the origin of the criminal offence, identify the key risks and thus improve the data compliance system.
Demand for corporate data protection outstrips protection measures. There is no doubt that data theft should be punished. However, from the perspective of cybersecurity and data protection, “injured” companies should not sit idly by.
Under the Cybersecurity Law, a network operator is required to perform security protection to keep its network safe from interference, sabotage or unauthorised access. This includes the adopting technical measures to prevent computer viruses, cyberattacks and network intrusion. If a company fails to take appropriate action, it could face administrative penalties in minor circumstances, or bear criminal liability in serious cases.
Compliance is neither a panacea nor a once-and-done guarantee against all risks. Not all corporate risks need to be warded off. In general, there are three types of strategies against corporate risks: acceptance, neutralisation and avoidance.
- If a company deems the cost of sufficient security measures is too high, with the benefits sometimes exceeding the potential harm, it may opt to simply take the hit, thus adopting a strategy of risk acceptance.
- If security measures are taken to the effect of preventing threat reoccurrence and minimising damage, the strategy would be known as risk neutralisation.
- If security measures were taken to the effect that the threat would no longer lead to any security incident, producing a fundamental preventive effect, the strategy is known as risk avoidance.
The compilation of compliance risk checklists, in terms of both general risk identification and business procedure risk management, is a key step in a company’s compliance process. Astute observation and judgment are required to effectively assess the differences in risk types, the cost and effectiveness of security measures, and accordingly take the most sensible course of action.
Wang Jun is the director of Starrise Law Firm. She can be reached by phone at +86 136 0109 6729 and by e-mail at [email protected]
30 Beixingqiao Toutiao Alley