In May 2022, Putuo District People’s Procuratorate in Shanghai held a public hearing on its proposed decision not to prosecute a company for alleged illegal acquisition of data in computer information systems. The hearing concluded that the non-prosecution decision was appropriate on the ground that the company implemented adequate compliance measures.
This is the first reported case where the procuratorate has decided not prosecute a company for data protection and cybersecurity offence on the basis of compliance evaluation.
In this article, we look into the legal framework and the case and set out our observations.
The Criminal law provides for several criminal offences relating to data protection and cybersecurity, including illegal intrusion into computer information systems, illegal acquisition of computer information system data, violating personal information of citizens, refusing to perform information network security management obligations, and illegal use of information network.
Notably, companies that have committed such crimes will also be penalized, and the senior managers and personnel directly responsible for the offence may also be charged with relevant crimes.
China’s Supreme People’s Procuratorate (“SPP”) rolled out a scheme, under which prosecutors may decide not to prosecute an enterprise suspected of committing crimes, if the enterprise can demonstrate that it has implemented a compliance system satisfactory to the prosecutors and an independent third-party organisation within a specified period (“Corporate Non-Prosecution Scheme”).
In March 2020, the SPP launched the first phase of a pilot program of the Corporate Non-Prosecution Scheme at six local procuratorates. In April 2021, the SPP launched the second phase of the pilot program in ten provincial-level procuratorates and introduced a workplan to establish a third-party supervision and evaluation mechanism, whereby a group of third-party institutions will assess and evaluate whether the enterprise concerned has fulfilled its compliance commitments.
In June 2021, the SPP, jointly with other ministries, issued an official opinion setting out details of the operation and procedures of the third-party supervision mechanism (“Official Opinion”).
Under the pilot program, local procuratorates are empowered to published their own implementation rules of the Corporate Non-Prosecution Scheme, but nationwide unified rules have yet to be formulated.
We summarise below the application scope and procedures of the Corporate Non-Prosecution Scheme based upon the Official Opinion and the implementing rules published by a district procuratorate in Shanghai.
The Corporate Non-Prosecution Scheme normally applies to crimes punishable with less than three years’ imprisonment. Besides, the relevant cases must also meet the following conditions:
In the following circumstances, the Corporate Non-Prosecution Scheme does not apply:
The procedures of the Corporate Non-Prosecution Schedule are as follows:
In the reported case, a company Z (“Company Z”) illegally obtained data for business purposes from an online takeaway platform without authorization, which caused direct economic losses of more than RMB 40,000 to the takeaway platform.
After investigation, the procuratorate determined to initiate the Corporate Non-Prosecution Scheme for the case on the ground that:
The Putuo District Procuratorate provided detailed guidance to Company Z for its compliance commitments. The recommendations proposed by the procuratorate mainly include:
In light of the above recommendations, Company Z took remediation actions and engaged legal advisors to formulate a data compliance rectification plan.
The third-party inspectors involved in this case was composed of experts from the Cyberspace Administration of China, a well-known Internet security company and an industrial organisations. The third-party inspectors supervised the data compliance rectification work of Company Z through inquiries, on-site interviews and investigations, document review and training sessions. Upon expiry of the inspection period, the third-party inspectors were of the opinion that the compliance measures taken by Company Z were satisfactory.
Key takeaways for the companies are twofold. Companies that have been suspected of committing data-related criminal offences can seek a non-prosecution decision from the procuratorate, if it meets the requirements under the Corporate Non-Prosecution Scheme.
More importantly, companies should establish and continuously improve their data compliance system to avoid data and cybersecurity breaches and demonstrate to the authorities that adequate compliance measures have been taken in the event of such breach.
We set out below a roadmap to help companies to address data compliance risks: