On 14 September 2022, the Cyberspace Administration of China (“CAC”) released the draft Decision on Amending the Cybersecurity Law of the People’s Republic of China (“Draft Amendments”) to for public consultation. If the CAC adopts the decision, it will become the first time that the Cybersecurity Law (“CSL”) has been amended since its enactment in 2016. In this article, we highlight the key points in the Draft Amendments and set out our observations.
The CSL is the first national legislation on network security protection in China and widely considered the first cornerstones cybersecurity and data protection framework. The CSL regulates the construction, operation, maintenance and use of network by network operators within the territory of China. The definitions of “network” and “network operators” are broad enough to include most of the information systems in China and their owners, operators and administrators.
After a few years’ deliberation, the Chinese government has expedited the legislative progress for cybersecurity and data security protection in recent years, which culminated in 2021 with the publication of the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) marking the establishment of the Chinese cybersecurity and data protection network.
The provisions under the PIPL and the DSL, especially the severe penalties, render the CSL outdated and gives the Chinese government an incentive to bring the CSL in line with the latest laws.
KEY AMENDMENTS TO PENALTIES
General cybersecurity obligations
The Draft Amendments have significantly increased penalties for obligations relevant to
- compliance with cybersecurity multi-level protection scheme (“MLPS”)
- network products and services meeting mandatory national standards;
- critical network equipment and special-purpose cybersecurity products passing the security certifications or security tests for sale or provision;
- real-name authentication by network operators;
- contingency plans for cybersecurity incidents;
- conducting cybersecurity certification and testing and risk evaluation and releasing cybersecurity alerts; and
- providing technical support and assistance to law enforcement authorities.
The amendments on the legal penalties for the above general network security obligations include:
- Raising the upper limit of fines for general breaches to RMB 1,000,000 for network operators and RMB 100,000 for individuals directly liable.
- Introducing PIPL-type monetary fines for severe breaches, where a fine between RMB 1 million and RMB 50 million or up to 5% of its annual turnover in the previous year applies with the individuals directly liable subject to a fine in the range of RMB 100,000 to RMB 1 million and/or a ban on taking on managerial positions in China (“Severe Penalties”).
The Draft Amendments also extend to organisations the penalties for illegal invasion or disruption of network or data theft. Draft Amendments have also increased the upper limit of fines to RMB 1,000,000 for disseminating illegal information on the internet.
Critical information infrastructure (“CII”) operators
The Draft Amendments have adjusted penalties for breaching CII operators’ obligations to ensure the business stability and continuous operation, implement security protection measures, keep confidential the procurement of network products and services, and conduct regular security test and evaluation on security.
Adjustment to the penalties include:
- Imposing penalties such as openly criticizing , suspension of business operation for rectification, the shutdown of websites, and revocation of operation permits or business licenses;
- Abolishing the lower limit of the fine for refusing to make rectifications or causing serious consequences;
- Imposing the Severe Penalties; and
- Incorporating penalties for breaching data localisation and data export requirements under the DSL and PIPL.
In addition, the CSL requires that, if a CII operator purchase network products and services that may affect national security, such CII operator shall pass the national security review organized by the government (Article 35). The Draft Amendments have also increased the penalty for breaching the obligation of procuring secure network products and services a fine of one to ten times of the purchase amount or a fine less than 5% of its annual turnover in the previous year.
Content security obligations
The Draft Amendments propose to adjust penalties for breaching obligations to manage the information published by users and establish complaints and reporting mechanisms, as well as prohibition on installing malware or publishing illegal information in the electronic information.
The penalties have been adjusted as follows:
- Imposing “openly criticizing ” as a penalty;
- Raising the upper limit of the fine from RMB 500,000 to RMB 1,000,000 for those refuse to make rectifications or causing severe consequences; and
- Imposing the Severe Penalties in particularly serous circumstances.
In addition, the Draft Amendments has also strengthened the legal penalties for illegally publishing and transmitting information such as imposing the Severe Penalties in particularly serous circumstances.
Personal information protection obligations
The Draft Amendments propose to incorporate into the CSL the penalties under the PIPL on violations of personal information protection obligations, which consequently increased the penalties.
The Draft Amendments have substantially increased the penalties for breaches of most obligations under the CSL to a level in line with those under the PIPL and DSL. Apparently, such a move is intended to incentivise network operators to comply with the CSL and could herald renewed efforts of the CAC to enforce the CSL.
Companies should ensure that they have identified and remediated gaps in compliance with the CSL, in particular the obligations relevant to the MLPS, contingency plans, content security and appointment of security personnel.
According to the Draft Amendments, after being amended, the CSL will have more deterrent power in regulating network security due to the improvement of legal penalties for network security obligations under the CSL. It can be also inferred that regulatory authorities may further strengthen the enforcement on network security in the future. Besides, the legal system of cybersecurity and data security will be further improved and more internally consistent after the CSL is amended.
However, there are still some unclear issues related to the Draft Amendments which may need to be further clarified:
- According to the new employment restrictions under the Draft Amendments, relevant individuals may be prohibited to undertake certain positions of “relevant enterprises” for “a certain period”. However, it is not clear how to define the “relevant enterprises” and “a certain period”.
- As for new penalties imposed in particularly severe circumstances, network operators shall be subject to “a fine of not less than RMB 1 million but not more than RMB 50 million” or “less than 5% of its turnover in the previous year”. The standard is not clear for competent authority to choose either of above two options for imposing fine.
- The standard for “particularly severe circumstances” is also not clear under the Draft Amendments.
- The Draft Amendments does not revise the definition of personal information under the CSL, therefore, the definition of personal information under the CSL is still inconsistent with the PIPL.
Based on the Draft Amendments, from the perspective of compliance purpose, we would suggest that:
- Network operators should pay more attention to and strictly comply with network security obligations stipulated under the CSL considering the strengthening of legal penalties under the CSL (e.g. MLPS compliance, network security emergency response, appointment of personnel in charge of network security).
- It is advised for network operators to conduct a comprehensive self-evaluation on compliance with the CSL and implement relevant rectifications for risk mitigation purpose as soon as possible. As for multinational companies, they are advised to overview IT structure and network security management practice in China and take remediation accordingly.
- Network operators should particularly pay attention to the network content security, which may be one of the focuses of the enforcement activities in the near future.
- The standards for identifying CII operators are still not clear at present but may be clarified in the near future. As for the network operators which have already been identified as CII operators by the government, relevant network security legal requirements for CII shall be strictly complied with.