Criminal Liability For Misuse Of Personal Data By Big Tech Platforms In China

03 Nov 2025 --
0 Comments

The misuse of personal data by Big Tech platforms in China is a rapidly evolving area of legal concern. With the growth of major technology companies and the mass collection of personal data, issues such as privacy violations, unauthorized data sharing, and security breaches have become significant topics for legal scholars, regulators, and lawmakers. China has taken steps to regulate data use through a series of laws and regulations that impose criminal and civil liability on entities that misuse personal data.

1. Legal Framework for Personal Data Protection in China

China has developed an evolving regulatory framework designed to regulate the collection, use, and protection of personal data. The primary regulations include:

a. The Personal Information Protection Law (PIPL)

Effective November 2021, the Personal Information Protection Law (PIPL) is the first comprehensive data protection law in China. It mirrors elements of the EU's General Data Protection Regulation (GDPR) and aims to safeguard individuals’ privacy and control over their data.

PIPL includes provisions on consent, the lawful use of personal information, penalties for violations, and the responsibility of data processors (including Big Tech platforms).

Key provisions:

Article 4: Data subjects must give informed consent before personal data is collected.

Article 45: Criminal liability is introduced for severe violations, including data leaks, unauthorized sharing, and illegal data sales.

b. The Cybersecurity Law

China’s Cybersecurity Law (effective from June 2017) contains significant provisions related to data protection. It outlines the obligations of network operators to protect the personal data of Chinese citizens.

Key provisions include:

Article 42: Operators must ensure data protection and establish security measures for the processing of personal data.

Article 64: Criminal penalties can apply for the illegal transfer or sale of personal data.

c. Data Security Law (2021)

The Data Security Law emphasizes the protection of data security, setting out national standards for data handling and introducing regulations for critical data that poses risks to national security, public safety, or economic interests.

Criminal liability can arise if data mishandling affects state or public interests.

2. Criminal Liability for Misuse of Personal Data by Big Tech Platforms

In China, criminal liability for misuse of personal data is governed by the Criminal Law (specifically, Article 253 and Article 286), alongside regulations like the PIPL, Cybersecurity Law, and Data Security Law. Personal data misuse can be categorized into several offenses, including data theft, illegal data trade, and unauthorized data sharing.

3. Case Law: Criminal Liability in Data Misuse Cases

Below, I outline several high-profile cases in China where Big Tech platforms or individuals involved in data misuse have faced criminal liability, offering insight into how the legal framework is applied in practice.

Case 1: The Didi Chuxing Data Privacy Incident (2021)

Facts:
Didi Chuxing, the Chinese ride-hailing giant, faced public backlash and legal scrutiny after its mobile app allegedly violated the Personal Information Protection Law (PIPL) and Cybersecurity Law by mishandling user data. This included collecting excessive amounts of personal information without users' informed consent and sharing location data with third parties.

Legal Issue:

Didi was accused of illegally collecting personal data from its users, including sensitive location data, and failing to properly inform users about how their data would be used or shared. In some cases, the company allegedly shared user data with third parties without proper legal grounds.

Outcome:

In July 2021, Didi Chuxing was banned from new user registrations in China by the Cyber Administration of China (CAC), which cited violations of data protection rules.

The company also faced a fine for breaching the Cybersecurity Law and PIPL, marking one of the first major enforcement actions under China’s data protection framework.

Implications for Criminal Liability:

While the case was primarily an administrative and regulatory action, it highlights the potential for criminal prosecution under the Cybersecurity Law and PIPL if violations are severe enough, such as unauthorized data sharing or causing substantial harm to the privacy rights of individuals.

Case 2: The "Xiaomi Data Leak" (2020)

Facts:
Xiaomi, the Chinese smartphone manufacturer, was accused of collecting user data without sufficient consent. In this case, Xiaomi allegedly recorded users' search history and personal preferences from its MIUI interface and sent them to servers located in China without user consent, which was in violation of data protection principles.

Legal Issue:

Xiaomi was accused of inadequate disclosure about what personal data was being collected, and there were concerns about third-party access to that data.

Xiaomi's handling of user consent was scrutinized under the PIPL, which mandates clear and informed consent before collecting and processing personal data.

Outcome:

The incident triggered an investigation by the Cyber Administration of China (CAC), which required Xiaomi to update its data collection practices and be more transparent about data use.

Xiaomi also faced public backlash but did not face criminal liability due to the company's prompt action to revise its practices and comply with data protection laws.

Implications for Criminal Liability:

This case demonstrates the fine line between administrative sanctions and criminal penalties. If the data misuse had resulted in substantial harm to consumers or national security, criminal charges under the Cybersecurity Law or PIPL could have been brought.

Case 3: The "Alibaba Ant Group Data Misuse" (2020)

Facts:
In 2020, Ant Group, the fintech arm of Alibaba, faced criticism after it was revealed that the company had collected excessive personal data from users without clear consent for services like Alipay. This included collecting financial and biometric data without properly informing users about its use for targeted advertising or third-party sharing.

Legal Issue:

Ant Group's practices were examined under the PIPL, which requires companies to only collect the minimum necessary data and to provide clear, informed consent. There were concerns that Ant had breached data protection principles by not adequately disclosing the scope of data collection.

Outcome:

The China Banking and Insurance Regulatory Commission (CBIRC) and other regulators paused Ant Group's IPO in 2020 over concerns about its data handling practices.

Ant Group was forced to revise its data processing practices and face scrutiny from regulatory bodies for compliance with China’s Cybersecurity Law and Data Security Law.

Implications for Criminal Liability:

While no criminal charges were filed, the regulatory pause and ongoing scrutiny reflect how Big Tech platforms in China could face serious consequences, including criminal liability, for serious breaches of data privacy laws.

Case 4: The "Huawei Data Theft" Case (2019)

Facts:
Huawei, the global telecommunications giant, faced allegations of data theft and misuse of personal information from its mobile phone users in 2019. Reports indicated that Huawei phones were found to be siphoning off personal data, including contacts, call logs, and even location data, without user consent or proper disclosure.

Legal Issue:

Huawei was accused of violating provisions of the Cybersecurity Law and PIPL by collecting sensitive personal data without adequate user consent and without clear disclosures about how the data would be used.

The company was also accused of data retention practices that went beyond what was necessary for the functioning of the phone.

Outcome:

Huawei was investigated by Chinese authorities for potential violations of its data protection obligations. The investigation was part of a broader scrutiny of Chinese tech companies due to their rising influence and concerns over privacy and national security.

In the end, no criminal charges were filed, but Huawei had to revise its data collection policies in response to the backlash.

Implications for Criminal Liability:

The case underscores the potential for criminal action under Chinese law if the misuse of personal data involves significant breaches of privacy laws or is found to be malicious or done for financial gain.

National security concerns may elevate the level of scrutiny and lead to harsher penalties, including criminal prosecution.

Case 5: The "JD.com Data Breach" (2021)

Facts:
In 2021, JD.com, another major Chinese e-commerce platform, faced an investigation over the unauthorized disclosure of user data. Hackers allegedly accessed millions of user accounts and sold personal data on the dark web.

Legal Issue:

JD.com was accused of failing to adequately protect personal data and of negligence in ensuring that user data was not improperly shared or sold. This is a direct violation of provisions in the PIPL and the Cybersecurity Law, which require companies to take necessary measures to protect personal information.

Outcome:

The company faced a multimillion-dollar fine, and its executives were questioned by regulatory authorities. JD.com was also instructed to enhance its security measures to prevent future breaches.