China to Toughen Penalties for Cybersecurity Breaches

BACKGROUND

The CSL is the first national legislation on network security protection in China and widely considered the first cornerstones cybersecurity and data protection framework. The CSL regulates the construction, operation, maintenance and use of network by network operators within the territory of China. The definitions of “network” and “network operators” are broad enough to include most of the information systems in China and their owners, operators and administrators.

After a few years’ deliberation, the Chinese government has expedited the legislative progress for cybersecurity and data security protection in recent years, which culminated in 2021 with the publication of the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) marking the establishment of the Chinese cybersecurity and data protection network.

The provisions under the PIPL and the DSL, especially the severe penalties, render the CSL outdated and gives the Chinese government an incentive to bring the CSL in line with the latest laws.

KEY AMENDMENTS TO PENALTIES

General cybersecurity obligations

The Draft Amendments have significantly increased penalties for obligations relevant to

1. compliance with cybersecurity multi-level protection scheme (“MLPS”)
2. network products and services meeting mandatory national standards;
3. critical network equipment and special-purpose cybersecurity products passing the security certifications or security tests for sale or provision;
4. real-name authentication by network operators;
5. contingency plans for cybersecurity incidents;
6. conducting cybersecurity certification and testing and risk evaluation and releasing cybersecurity alerts; and
7. providing technical support and assistance to law enforcement authorities.

The amendments on the legal penalties for the above general network security obligations include:

• Raising the upper limit of fines for general breaches to RMB 1,000,000 for network operators and RMB 100,000 for individuals directly liable.
• Introducing PIPL-type monetary fines for severe breaches, where a fine between RMB 1 million and RMB 50 million or up to 5% of its annual turnover in the previous year applies with the individuals directly liable subject to a fine in the range of RMB 100,000 to RMB 1 million and/or a ban on taking on managerial positions in China (“Severe Penalties”).

The Draft Amendments also extend to organisations the penalties for illegal invasion or disruption of network or data theft. Draft Amendments have also increased the upper limit of fines to RMB 1,000,000 for disseminating illegal information on the internet

Obligations related to critical information infrastructure (“CII”) operators

The Draft Amendments have adjusted penalties for breaching CII operators’ obligations to ensure the business stability and continuous operation, implement security protection measures, keep confidential the procurement of network products and services, and conduct regular security test and evaluation on security.

Adjustment to the penalties include:

• Imposing penalties such as openly criticizing , suspension of business operation for rectification, the shutdown of websites, and revocation of operation permits or business licenses;
• Abolishing the lower limit of the fine for refusing to make rectifications or causing serious consequences;
• Imposing the Severe Penalties; and
• Incorporating penalties for breaching data localisation and data export requirements under the DSL and PIPL.

In addition, the CSL requires that, if a CII operator purchase network products and services that may affect national security, such CII operator shall pass the national security review organized by the government (Article 35). The Draft Amendments have also increased the penalty for breaching the national security review obligation of procuring network products and services a fine of one to ten times of the purchase amount or a fine less than 5% of its annual turnover in the previous year.

Content security obligations

The Draft Amendments propose to adjust penalties for breaching obligations to manage the information published by users and establish complaints and reporting mechanisms, as well as prohibition on installing malware or publishing illegal information in the electronic information.

The penalties have been adjusted as follows:

• Imposing “openly criticizing ” as a penalty;
• Raising the upper limit of the fine from RMB 500,000 to RMB 1,000,000 for those refuse to make rectifications or causing severe consequences; and
• Imposing the Severe Penalties in particularly serous circumstances.

In addition, the Draft Amendments has also strengthened the legal penalties for illegally publishing and transmitting information such as imposing the Severe Penalties in particularly serous circumstances.

Personal information protection obligations

The Draft Amendments propose to incorporate into the CSL the penalties under the PIPL on violations of personal information protection obligations, which consequently increased the penalties

CONCLUSION

The Draft Amendments have substantially increased the penalties for breaches of most obligations under the CSL to a level in line with those under the PIPL and DSL. Apparently, such a move is intended to incentivise network operators to comply with the CSL and could herald renewed efforts of the CAC to enforce the CSL.

Companies should ensure that they have identified and remediated gaps in compliance with the CSL, in particular the obligations relevant to the MLPS, contingency plans, content security and appointment of security personnel.