In an era where personal data is the currency of the digital economy, the criminalisation of illegal personal data use has emerged as a critical frontier for legal frameworks worldwide. Balancing robust protection of individuals’ data rights with the facilitation of innovation and economic growth presents an intricate challenge for legislators. As Z. Guo explores in depth, the concept of criminalising the unlawful use of personal data must navigate legal precision, proportionality, and technological complexity to avert unintended consequences that stifle market dynamics and innovation.
Criminal law’s entry into the realm of personal data use represents a significant shift from purely administrative or civil regulation toward more assertive deterrence and punishment mechanisms. However, this shift carries inherent risks. Overly stringent or ambiguous criminal laws could generate legal uncertainties, complicating compliance obligations for data controllers, processors, and collectors. Such burdens threaten both the legal use of personal information and the free flow of data essential to modern innovation ecosystems. The challenge lies in crafting criminal provisions with clear and elevated thresholds of illegal conduct, diversified justifications for data usage, and calibrated penalties to avoid chilling effects on legitimate data processing.
Defining the “illegality extent,” or threshold of unlawful personal data use worthy of criminal sanction, is especially complex. Not all misuse of personal information merits the severity of criminal penalties. Distinguishing between ordinary infractions and criminal abuse requires nuanced consideration of harm—both to individual autonomy over one’s data and to public or collective interests. Guo underscores that abuses that seriously impair an individual’s autonomous control over their personal information and result in substantive harm should meet the threshold for criminalisation.
This threshold is exemplified by the illegal use of data to infringe protected interests already recognized in existing criminal laws. For example, the 2020 amendment in China introducing the ‘crime of impostor’ illustrates how personal data misuse can directly distort educational admissions and employment qualifications, producing societal and individual harm. Criminal law here protects not only personal data autonomy but also entrenched legal rights underpinning social fairness.
Moreover, fraudulent or unauthorized use of personal data—ranging from telecommunication fraud to forging information to influence illicit business activities—warrants criminalisation, especially when such misuse forces victims to bear criminal consequences or propels perpetrators to commit further crimes. The aggregated illegal use of multiple data types exacerbates harm by systematically stripping data subjects of autonomy, as reflected in China’s judicial guidance delineating quantitative criteria that trigger serious penal sanctions.
Notably, the context of data acquisition matters profoundly. When ‘special groups’ tasked with public duties exploit their access to personal information for unauthorized purposes, the breach extends beyond individual autonomy to erode public trust in institutions. Such misuse must invoke criminal culpability even at reduced thresholds, as these actors enjoy legally sanctioned data privileges subject to heightened responsibility.
Personal danger posed by repeated offenders or recalcitrant actors who refuse to comply with lawful corrective notices underpins another dimension of criminal liability. This approach, rooted in precedents from Hong Kong and China’s network security law, recognizes that ignoring mandated corrective directives signals potential future violations, justifying criminal consequences to preempt escalating infringement on personal data autonomy.
A crucial element for criminalisation is the subjective intent to obtain illegal benefits through personal data misuse. Jurisdictions like Taiwan and Germany adopt this as a benchmark, reflecting the higher culpability of intentional profiteering. Intent sharpens the focus of criminal law on behaviors posing grave social risks, distinguishing them from lower-level administrative breaches.
Legal justifications or defenses against accusations of illegal data use revolve heavily around the legitimacy of the data user’s purpose. While some scholars promote balancing interests between data subjects and users, Guo highlights limitations of this approach, especially where highly personal or sensitive information is concerned. Instead, legal reasoning must respect the gradation of personal information domains—from intimate to private to social spheres—each demanding tailored protective and permissive rules.
The intimate sphere concerns highly protected private information linked to an individual’s right to privacy and dignity. The law generally forbids use of such data without explicit legal grounds or consent, consistent with civil law provisions safeguarding personal rights. Even voluntary disclosure by data subjects, such as public figures exposing their private lives for political or commercial reasons, faces boundaries framed by public order and morality. Ill-justified exploitation of sensitive private data, especially for coercion or threat, has been judicially condemned exemplified by Japanese court rulings on privacy intrusions.
Subsequently, sensitive personal information inhabits the private sphere and intertwines with an individual’s physical and psychological well-being. Here, the balancing of interests gains prominence. Use of health data or communication records may be permissible if it serves overriding societal interests; however, precautionary measures like transparency codes of conduct and obtaining separate consent are pivotal to preserving personal safety. Notably, criminal law interventions remain narrowly targeted, primarily reserved for cases with demonstrable significant social harm.
In the broad social sphere, general personal information serves essential roles in national security, governance, research, and commercial endeavors. Lawful use of such data for statistical and academic purposes generally mandates anonymization to prevent identification risks. Conversely, non-governmental entities using personal data for marketing must heed the information subject’s objections, emphasizing the primacy of consumer autonomy and economic efficiency in this domain.
Penalties for the illegal use of personal information deserve particular attention to harmonize deterrence with proportionality. Guo argues for appropriately heavier penalties for illegal use compared to acquisition or provision, given the former’s irreplaceable direct harm to personal data autonomy. However, China’s current legal practice sets the same penalty range for acquisition, use, and provision, reflecting an underlying presumption that these acts inflict comparable harms.
Comparative perspectives from jurisdictions like Japan, Germany, Hong Kong, and Taiwan indicate generally lighter penalties for illegal personal data use compared to China’s harsher maximum sentences. This disparity urges prudence in expanding criminal penalties and signals a need for fine-grained calibrations between custodial sentences and financial penalties tailored to specific offenses. Research into the strategic use of fines could enhance precision in punishing illicit personal data activities.
The article ultimately advocates a balanced, multi-faceted criminalisation strategy that preserves the crucial autonomy of data subjects, protects public trust, and supports innovation. Criminal law must define clear, high thresholds of liability reflecting significant harm, recognize legitimate uses grounded in privacy and public interest domains, and differentiate penalties to reflect the gravity of breaches. Such a framework averts the chilling effects of overbroad prohibitions while ensuring robust accountability for misuse.
In an age where personal data underpins economic and societal functions, nuanced criminal law responses that embrace technological realities and social values are imperative. Guo’s comparative and doctrinal insights provide a sophisticated blueprint for lawmakers worldwide wrestling with the complexities of regulating personal data amidst rapid digital transformation. The stakes are profound: safeguarding privacy and trust without undermining the innovative potential resting on data-driven ecosystems.
As legislation continues to evolve globally, balancing criminalisation’s protective imperatives with innovation’s demands will remain an ongoing, dynamic legal challenge. Crafting laws that clearly articulate illegality extents, justify lawful data uses across personal spheres, and proportion penalties to harms represent the best path forward. This approach not only protects individuals but creates a resilient digital ecosystem conducive to economic vitality and social progress in the information age.
Subject of Research: Criminalisation of illegal use of personal data and comparative legal approaches with a focus on China
Article Title: Criminalisation of the illegal use of personal data: comparative approaches and the Chinese choice
Article References: Guo, Z. Criminalisation of the illegal use of personal data: comparative approaches and the Chinese choice. Humanit Soc Sci Commun 12, 782 (2025). https://doi.org/10.1057/s41599-025-05141-y
Image Credits: AI Generated
