China’s top cybersecurity body is soliciting opinions from the public on proposed amendments to the country’s Cybersecurity Law. If passed, the amended law will increase fines for violations of cybersecurity obligations and prohibitions for network operators to up to RMB 50 million. The amendment also seeks to make the law more consistent with China’s growing cyber- and data security legal framework. The amendments to the China Cybersecurity Law may raise stakes for smaller companies, making compliance all the more critical.
On September 14, the Cyberspace Administration of China (CAC), China’s top cybersecurity body, released new amendments to the 2017 China Cybersecurity Law. The amendments were released along with a brief explainer, which stated that the amendments seek to make the law consistent with several new laws that have been released since the Cybersecurity Law came into effect in 2017. These are the Administrative Punishment Law, the Data Security Law, and the Personal Information Protection Law (PIPL), all of which were revised or implemented in 2021.
Almost all of the amendments change the scope and severity of penalties for violating certain provisions, and therefore do not make any changes to the legality of various types of behavior or activity prohibited by the Cybersecurity Law. The amendments also do not reduce the responsibilities of network operators to protect their networks, data, and users.
The amendments to the Cybersecurity Law therefore seek to improve consistency between these new laws and regulations, improve legal liability, and further improve cybersecurity in China.
The amendments to the Cybersecurity Law cover four main aspects, as explained by the CAC.
The first is to improve the legal liability system for violations of general provisions on network operation security. Based on the implementation of the current network operation security legal system, the CAC has proposed adjusting the types and extent of administrative penalties for acts that violate network operation security protection obligations or cause consequences, such as jeopardizing network operation security.
The second is to revise the legal responsibility system for the security protection of critical information infrastructure (CII). In order to strengthen the responsibility for the security protection of CII, the penalties for illegal acts by critical information infrastructure operators (CIIOs) have been raised.
The third is to adjust the legal responsibility for network information security – that is, the obligations of network providers to ensure the information shared through their networks by companies and individuals does not violate China’s laws. In order to better adapt to the actual situation of network information security, the amended provisions integrate legal responsibilities for violations of network information security obligations, adjust the range of administrative penalties and prohibitions on employment, and add provisions on legal liabilities for illegal acts that are not stipulated by laws and administrative regulations.
Finally, the relevant articles of the Cybersecurity Law have been revised to be more consistent with the provisions of the PIPL and provide better protection for personal information (PI).
Below we outline the specific amendments to the Cybersecurity Law, covering the rise in fines for violations of certain provisions and the updates for consistency with other regulations.
The amended Cybersecurity Law raises the fines for violations of over a dozen articles. Previously the headline fine for violating one of these articles was previously RMB 500,000 (US$71,360), and in one instance, up to 10-times the amount of the value of the illegal products purchased by a company. In the amended version, the headline fine is RMB 1 million (US$142,720) or up to 5 percent of the previous year’s turnover for certain serious violations.
The penalty for the individuals held directly responsible for the violations has also increased, from a maximum of RMB 100,000 (US$14,272) to RMB 1 million for certain serious violations.
The articles cover cybersecurity requirements for network operators and CIIOs, prohibitions on the use of networks, requirements for the collection, use, and handling of PI, and the responsibilities of network operators over the content posted by users.
Articles 21 to 28 deal with the cybersecurity requirements of ordinary network operators while articles 33 to 38 deal with the cybersecurity protection obligations of CIIOs.
Fine of RMB 10,000 to 100,000 for persons held responsible.
Fine of RMB 1 million to RMB 5 million or 5 percent of the previous year’s turnover in cases for cases with “severe” consequences.
Fine of RMB 100,000 to RMB 1 million for the person held responsible.
Article 27 prohibits individuals and companies from engaging in procedures or using tools that endanger cybersecurity activities. Article 46 holds individuals and organizations responsible for how they utilize the networks and prohibits them from setting up websites or communication groups for illegal and criminal activities.
A fine of RMB 100,000 to RMB 1 million and five to 15 days’ detention for serious violations.
A fine of RMB 1 million to RMB 50 million or 5 percent of the previous year’s turnover and a fine of RMB 100,000 to RMB 1 million for the persons in charge for serious violations.
A fine of RMB 1 million to RMB 50 million or up to 5 percent of the previous year’s turnover and a fine of RMB 100,000 to RMB 1 million on the persons responsible for serious violations.
In addition to the above fines, companies found to be in violation of the listed articles may also be liable for other punishments. This includes suspension of relevant businesses, the shutdown of websites or other services, revoking of business licenses, and other such administrative penalties. Individuals that are held directly responsible for the violations may also be barred from taking up a senior role in the company or industry or be barred from working in the industry again if the violations are deemed particularly egregious.
In two of the amended articles, the CAC removed clauses stipulating specific punishments for violations of certain articles of the Cybersecurity Law and instead added the sentence “punishment in accordance with relevant laws and administrative regulations.” Although the amended articles do not specify exactly which regulations or provisions the law defers to in the case of these violations of these articles, we can deduct from the type of violation which laws it is referring to.
Possible relevant laws and regulations:
PIPL, Data Security Law
PIPL, and the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial).
In the case of violations of Paragraph 3 of Article 22 and Articles 41 to 42, the relevant provisions for penalties can be found in the PIPL and the Data Security Law. Violations of the PIPL can result in a fine of up to RMB 50 million (US$7.1 million) or up to 5 percent of the previous year’s turnover for serious violations. Companies may also be liable for lawsuits by consumer groups should they violate consumers’ rights.
The requirement for CIIOs to store data and PI collected from users and subjects in China within China’s borders has been stipulated in several pieces of legislation, including the PIPL (Article 36) and the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (Article 21). Violating this provision of the Cybersecurity Law, under the new amendment, could therefore now lead to penalties under these laws and regulations, which include fines of up to RMB 50 million, confiscation of illegally obtained assets and income, and investigation for criminal responsibility.
The increased fines for violations of the Cybersecurity Law will give authorities more legal teeth to tackle violations and protect users’ rights. A prominent example is the recent case of Didi Chuxing, the ride-hailing giant that was fined a record US$1.2 billion for violations of China’s cyber- and data security regulations and PI protection regulations, including the Cybersecurity Law.
However, this case is likely to be an outlier due to the size of the company involved, the broad scope of violations, and the size of the fine. The majority of cybersecurity cases are likely to be among smaller companies that may not receive as much media attention, but which nonetheless have much to lose in the case of a penalty.
The latest amendments, if passed in their current form, would significantly raise the stakes for smaller companies, as the headline fines for both the companies and individuals involved have been increased. Compliance with the Cybersecurity Law, and China’s other data and PI protection regulations, will therefore only be more important than ever.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « China’s Robotics Industry: Current Outlook and Market Scope for Foreign Investors
Next Article The Low-Code/No-Code Industry in China: Opportunities for Foreign Investors »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.