Comparative Study Of China’S Cybercrime Law With South Korea
Comparative Study: China vs. South Korea in Cybercrime Law & Enforcement
Legal Frameworks: China and South Korea
China
Criminal Law Provisions
China’s Criminal Law contains specific provisions for cyber‑crimes under the section “Crimes of Disturbing Public Order.” Relevant articles include:
Article 285: Illegally obtaining data from a computer information system, or controlling such a system.
Article 286: Sabotaging a computer information system (e.g., introducing malware).
Article 287: Using networks to commit other crimes (e.g., using hacking to commit fraud), in which case the more serious crime’s penalty applies.
Also Article 253(1): Infringement of personal information (unlawful acquisition or sale).
Cybersecurity Law
China’s Cybersecurity Law (CSL) places obligations on network operators to secure data, manage critical infrastructure, and prevent unauthorized access.
There are also administrative punishments for lesser violations (under Public Security Administration Punishments Law).
Criminal Procedure & Jurisdiction
In 2022, China issued detailed opinions (judicial guidance) clarifying how to handle “information network cases” (cybercrimes) in criminal procedure: e.g., defining what constitutes “jeopardizing the security of computer information systems,” “unlawful exploitation,” or aiding cybercrime.
Courts and prosecutors use these guidelines to coordinate across jurisdictions, because cybercrime often involves scattered victims and offenders.
South Korea
Primary Laws
Act on the Promotion of Information and Communications Network Utilization and Information Protection (often called the Network Act). This regulates unauthorized system access, distribution of malicious code, and more.
Personal Information Protection Act (PIPA): Covers illegal acquisition, use, or disclosure of personal information.
Criminal Code / “Computer-related Offenses”: There are penalties under traditional criminal law for fraud, obstruction, etc., when done via computer.
Penalties
Under the Network Act, unauthorized access can lead to up to 5 years’ imprisonment or a fine (for data damage) of up to KRW 50 million.
Possession or use of hacking tools (malicious code) can carry up to 7 years imprisonment or up to KRW 70 million fine.
Under PIPA, illegally acquiring and providing personal data for profit may lead to up to 10 years in prison or a fine (very high) of up to KRW 100 million.
Developments / Precedents
South Korea's Supreme Court clarified in a web‑crawling case (2021Do1533) that not all automated data crawling is necessarily unauthorized access; legality depends on API use, terms of service, technical blocking, etc.
Comparison: Key Differences & Similarities
| Feature | China | South Korea |
|---|---|---|
| Legal basis for cyber‑crimes | Criminal Law + Cybersecurity Law; strong central regulatory and criminal regime. | Network Act + PIPA + Criminal Code; more segmented but detailed. |
| Focus of enforcement | Data theft, hacking, fraud, personal information sale, system sabotage. | Unauthorized access, malicious code, data scraping, personal information abuse. |
| Penalties | Up to 7 years (or more), fines; also unit (corporate) criminal liability. KWM+1 | Up to 7 years for code use; large fines; heavy penalties for data misuse. |
| Cross-border / international scope | Cybercrimes are prosecuted domestically; guidance issued for network crimes; large-scale fraud ring crackdowns. | Domestic cyber‑crime enforcement; but also major cases with cross‑border data or IP theft. |
| Judicial clarity (precedents) | Relatively fewer published “cyber‑crime only” landmark cases; more reliance on procedural opinions. | Clear Supreme Court case (2021Do1533) on web crawling; established precedent for data scraping legality. |
Case Studies: Key Cases in China and South Korea
Here are detailed cases that help illustrate how the two systems work, how laws are applied, and how courts draw the line in cybercrime.
China – Case Studies
Du Tianyu (“Telecom Fraud / Hacking Personal Info”)
Facts: In Shandong province, Du Tianyu illegally accessed an official website containing personal data of gaokao (college entrance exam) test‑takers – around 640,000 examinees’ data.
He then sold personal information (names, ID, contact) to a fraud gang (led by someone named Chen), who used it to call students and scam them. China Daily
Legal Charges: Illicit access to computer information system (Criminal Law, Article 285), plus personal data infringement. China Daily+1
Outcome: Du was sentenced to 6 years’ imprisonment and fined RMB 60,000. China Daily
Significance: This case shows how personal data theft, even from publicly accessible systems, is treated severely, especially when used to facilitate fraud with real-world harm (fraud targeting students).
Zhang, Huang & Others: Illegal Data Obtaining & System Control
Facts: According to legal reporting, Zhang used hacking techniques (“hacker technology”) to illegally obtain data from a computer system (including credit card information of foreign citizens) and then passed it to Huang to sell.
Legal Charges: Illegally obtaining data (Criminal Law Article 285), and possibly controlling systems.
Outcome: In a Zhejiang court (Jinhua Intermediate People’s Court), Zhang was sentenced to 5 years’ imprisonment + fine (RMB 140,000), and Huang got ~4 years 11 months + fine (RMB 135,000).
Significance: Demonstrates “unit crime” (corporate or group responsibility) and strong punishment for data theft purely for resale.
Xu & Li: Facial Recognition / Personal Information Trade
Facts: Xu purchased facial images/videos of about 130 people, used software that bypassed facial-recognition systems; Li then used that software to help others regain access to blocked accounts (e.g., social media), reselling that data.
Legal Charges: Infringement of personal information under Criminal Law / data protection; unauthorized access to systems (smart devices).
Outcome: Xu got 9 months’ imprisonment, Li got 6 months; both fined, their illicit profits and devices confiscated.
Significance: This is a pivotal case: facial recognition data is treated as especially sensitive, and illegal trade/access is criminalized. The Supreme People’s Court (SPC) explicitly called for zero tolerance. Supreme People's Court of China
Internet Bullying & Personal Data / Cyberviolence Gang (Sichuan)
Facts: A gang in Sichuan used hacking to gather a large amount of personal information, then carried out cyber‑harassment, doxxing, and forced apology videos from victims, including minors. People's Daily
Legal Charges: Infringement on personal information, “aiding and abetting network crime,” cyber harassment and intentional injury.
Outcome: One defendant (“Zhang”) was sentenced to 6 years in prison, fined 10,000 yuan, per the public security organs’ report.
Significance: This case highlights how cyber-enabled violence, not just pure hacking or data theft, is prosecuted under Chinese cybercrime law. It also shows the use of cyber tools for intimidation and personal harm, which is being punished.
South Korea – Case Studies
Supreme Court Web‑Crawling Decision (2021Do1533)
Facts: Employees of “Company A” developed a crawling system that accessed Company B’s reservation‑app API repeatedly (even disguised as regular users) and copied data (names, room data) from the app. 법무법인 아틀라스
Legal Charges:
Unauthorized access / computer network invasion (Network Act) 법무법인 아틀라스
Copyright violation (they replicated competitor’s database). 법무법인 아틀라스
Obstruction of business (via mass automated requests). 법무법인 아틀라스
Outcome:
First‑instance court: Guilty on all counts; judges viewed the crawling as intrusion, replication as copyright violation, and business obstruction. 법무법인 아틀라스
Appeals court: Not guilty on all counts, reasoning included: API was public, no login required, IP blocking weak, packet analysis not inherently illegal, and Terms of Service didn't clearly forbid such crawling. 법무법인 아틀라스
The Supreme Court’s final decision is closely watched; it clarifies when automated data scraping constitutes a crime. (This is sometimes called a “historic precedent.”) 법무법인 아틀라스
Significance: This case is very important in South Korea’s cyber‑law regime because it draws clear boundaries around web crawling: not all automated data collection is criminal; context, API design, access restriction, and T&Cs matter.
Nth Room Case (Sexual Blackmail via Messaging)
Facts: This criminal case involved online sexual exploitation and blackmail via Telegram. The perpetrators operated “rooms” where they shared sexually explicit content (including with minors), extorted victims, and distributed content for cryptocurrency payments.
Legal Charges: Use of communications system for blackmail, sexual exploitation, distribution of illegal sexual content. (Also overlapping cybercrime + traditional crimes.)
Outcome: The one known leader (“Doctor” / Cho Ju‑bin) was initially sentenced to 40 years, later extended to 42 years.
Significance: Although not a simple hacking case, the cyber component (Telegram, digital payments, encryption) made enforcement complex. It underscores South Korea’s ability to prosecute cyber‑enabled sexual crime, not just data hacking.
Tech IP Theft Law Amendment (2024)
Facts/Context: In 2024, South Korea strengthened penalties for leaking or stealing “core technology / industrial secrets.”
Legal Change: Under the Prevention of Divulgence and Protection of Industrial Technology Act, maximum imprisonment for tech IP theft was increased (sentences tripled).
Significance: This is more a legal-policy development than a single case, but it's critical: it shows South Korea sees cyber‑espionage / IP theft via digital means as a serious national security and economic crime, warranting much harsher penalties.
Analysis: Comparative Insights from the Cases
Scope of Cybercrime
China: Very broad — data theft, system hacking, personal information trafficking, cyber‑violence.
South Korea: Also broad, but with more nuance around automated data access (web crawling) and personal data protection (PIPA).
Legal Evolution & Adaptation
China relies on its Criminal Law + specialized guidelines, and increasingly tight regulation of personal-data-sensitive areas (e.g., facial‑recognition data).
South Korea uses distinct but complementary statutes (Network Act + PIPA), and its courts (especially the Supreme Court) are actively shaping how cyber law applies to “newer” digital behaviors like web crawling.
Enforcement & Penalties
China imposes significant prison terms for data theft (e.g., the hacker who sold gaokao data got 6 years), signaling strong deterrence.
South Korea also imposes heavy penalties, but in certain cyber‑gray areas (like scraping), enforcement is more cautious and depends on technical and contractual realities.
Protection of Personal Information
In China, personal data (especially sensitive data like facial images) is being recognized more and more as needing criminal protection; recent SPC judgments reaffirm this.
In South Korea, PIPA already criminalizes illicit data acquisition and trade, and courts draw lines on how data may be collected (e.g., via crawling).
Cyber‑Enabled Non‑traditional Crimes
Both jurisdictions prosecute crimes that are not “just hacking”:
China: cyberbullying, doxxing, online fraud.
South Korea: sexual exploitation on Telegram, IP theft, large-scale data extraction through crawling.
Critical Observations / Challenges
Jurisdiction & Cross‑Border Enforcement: Cybercrimes often cross national borders, but enforcement is mostly domestic. Both China and South Korea need coordination (e.g., via mutual legal assistance) to handle international cyber‑threats.
Technical Complexity vs Legal Doctrine: The Supreme Court web-crawling case in South Korea shows how courts must understand technical/API architecture to decide whether crawling is “unauthorized access” — this is a major challenge for legal systems.
Balancing Innovation & Security: Strict cybercrime laws risk chilling legitimate use of data (e.g., research, web services) if not carefully interpreted. The Chinese cases on facial recognition data show tension between security and innovation.
Protection of Vulnerable Data: As China increasingly treats biometric data as highly sensitive, there is a risk of overcriminalization or excessive state control — but it also helps deter misuse.
RELATED Blog
comments