On 14 September 2022, the Cyberspace Administration of China (“CAC”) released the draft Decision on Amending the Cybersecurity Law of the People’s Republic of China (“Draft Amendments”) for public consultation. If the CAC adopts the decision, it will become the first time that the Cybersecurity Law (“CSL”) has been amended since its enactment in 2016. In this article, we highlight the key points in the Draft Amendments and set out our observations.
The CSL is the first national legislation on network security protection in China and widely considered the first cornerstones cybersecurity and data protection framework. The CSL regulates the construction, operation, maintenance and use of network by network operators within the territory of China. The definitions of “network” and “network operators” are broad enough to include most of the information systems in China and their owners, operators and administrators.
After a few years’ deliberation, the Chinese government has expedited the legislative progress for cybersecurity and data security protection in recent years, which culminated in 2021 with the publication of the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) marking the establishment of the Chinese cybersecurity and data protection network.
The provisions under the PIPL and the DSL, especially the severe penalties, render the CSL outdated and gives the Chinese government an incentive to bring the CSL in line with the latest laws.
The Draft Amendments have significantly increased penalties for obligations relevant to
The amendments on the legal penalties for the above general network security obligations include:
The Draft Amendments also extend to organisations the penalties for illegal invasion or disruption of network or data theft. Draft Amendments have also increased the upper limit of fines to RMB 1,000,000 for disseminating illegal information on the internet
The Draft Amendments have adjusted penalties for breaching CII operators’ obligations to ensure the business stability and continuous operation, implement security protection measures, keep confidential the procurement of network products and services, and conduct regular security test and evaluation on security.
Adjustment to the penalties include:
In addition, the CSL requires that, if a CII operator purchase network products and services that may affect national security, such CII operator shall pass the national security review organized by the government (Article 35). The Draft Amendments have also increased the penalty for breaching the national security review obligation of procuring network products and services a fine of one to ten times of the purchase amount or a fine less than 5% of its annual turnover in the previous year.
The Draft Amendments propose to adjust penalties for breaching obligations to manage the information published by users and establish complaints and reporting mechanisms, as well as prohibition on installing malware or publishing illegal information in the electronic information.
The penalties have been adjusted as follows:
In addition, the Draft Amendments has also strengthened the legal penalties for illegally publishing and transmitting information such as imposing the Severe Penalties in particularly serous circumstances.
The Draft Amendments propose to incorporate into the CSL the penalties under the PIPL on violations of personal information protection obligations, which consequently increased the penalties
The Draft Amendments have substantially increased the penalties for breaches of most obligations under the CSL to a level in line with those under the PIPL and DSL. Apparently, such a move is intended to incentivise network operators to comply with the CSL and could herald renewed efforts of the CAC to enforce the CSL.
Companies should ensure that they have identified and remediated gaps in compliance with the CSL, in particular the obligations relevant to the MLPS, contingency plans, content security and appointment of security personnel.