One of the more dramatic privacy law developments in China in 2014 was the August criminal conviction of foreign nationals Peter Humphrey and Yu Yingzeng for their violation of Article 253 of the Criminal Law (刑法) associated with their unlawful purchase of Chinese citizens’ personal information. One of the more notable developments in 2015 is the amendment of Article 253 by China’s legislature, the National People’s Congress (NPC), in order to permit

criminal prosecutions relating to a broader range of acts involving the unlawful disclosure or the unlawful procurement of personal information. The amended provision comes into effect November 1, 2015. This brief alert provides an overview of the changes to Article 253.Article 253 of the Criminal Law as currently in effect imposes criminal liability on employees of government institutions and companies in the financial, telecoms, transportation, educational and medical sectors who sell or otherwise unlawfully provide to third parties any citizen’s personal information that has been obtained in the course of employment or provision of services where the associated circumstances are “serious”. It also imposes criminal liability on any person who obtains that information by means of theft or other unlawful means—again, if the associated circumstances are “serious”. Punishment for breach of Article 253 as currently in effect includes prison terms or criminal detention of up to three years and/or a fine.
The amendment to Article 253 involves the following changes:

criminal prosecutions relating to a broader range of acts involving the unlawful disclosure or the unlawful procurement of personal information. The amended provision comes into effect November 1, 2015. This brief alert provides an overview of the changes to Article 253.Article 253 of the Criminal Law as currently in effect imposes criminal liability on employees of government institutions and companies in the financial, telecoms, transportation, educational and medical sectors who sell or otherwise unlawfully provide to third parties any citizen’s personal information that has been obtained in the course of employment or provision of services where the associated circumstances are “serious”. It also imposes criminal liability on any person who obtains that information by means of theft or other unlawful means—again, if the associated circumstances are “serious”. Punishment for breach of Article 253 as currently in effect includes prison terms or criminal detention of up to three years and/or a fine.
The amendment to Article 253 involves the following changes:
- It introduces the broader offense of “selling or otherwise providing personal information of citizens to another in violation of State regulations”. Regarding that offense, it provides for a longer prison sentence of three to seven years, as well as a fine if the circumstances are “extremely serious”.
- The scope of the current data privacy offense involving selling or otherwise unlawfully providing citizens’ personal information under Article 253 has been broadened. Criminal liability will attach to an employee of any organization, not just government employees and employees of companies in specified sectors, and will attach to enterprise offenders as well. No longer are of serious consequences a constituent element of the offense, and punishment includes the heavier of the two levels of punishment relevant to the broader offense described above (prison term of between three and seven years, and a fine).
- It creates a broader offense of “stealing or otherwise illegally obtaining personal data of others” that, unlike the analogous offense under Article 253 as currently in effect, is independent of the offense of selling or otherwise providing personal information obtained in the course of employment or provision of services. Serious consequences are not a constituent element of the offense, and punishment is the same as that applicable to the broader offense of selling or otherwise providing personal information as described above.