China’s top cybersecurity body is soliciting opinions from the public on proposed amendments to the country’s Cybersecurity Law. If passed, the amended law will increase fines for violations of cybersecurity obligations and prohibitions for network operators to up to RMB 50 million. The amendment also seeks to make the law more consistent with China’s growing cyber- and data security legal framework. The amendments to the China Cybersecurity Law may raise stakes for smaller companies, making compliance all the more critical.
On September 14, the Cyberspace Administration of China (CAC), China’s top cybersecurity body, released new amendments to the 2017 China Cybersecurity Law. The amendments were released along with a brief explainer, which stated that the amendments seek to make the law consistent with several new laws that have been released since the Cybersecurity Law came into effect in 2017. These are the Administrative Punishment Law, the Data Security Law, and the Personal Information Protection Law (PIPL), all of which were revised or implemented in 2021.
Almost all of the amendments change the scope and severity of penalties for violating certain provisions, and therefore do not make any changes to the legality of various types of behavior or activity prohibited by the Cybersecurity Law. The amendments also do not reduce the responsibilities of network operators to protect their networks, data, and users.
The amendments to the Cybersecurity Law therefore seek to improve consistency between these new laws and regulations, improve legal liability, and further improve cybersecurity in China.
What are the proposed changes to the China Cybersecurity Law?
The amendments to the Cybersecurity Law cover four main aspects, as explained by the CAC.
The first is to improve the legal liability system for violations of general provisions on network operation security. Based on the implementation of the current network operation security legal system, the CAC has proposed adjusting the types and extent of administrative penalties for acts that violate network operation security protection obligations or cause consequences, such as jeopardizing network operation security.
The second is to revise the legal responsibility system for the security protection of critical information infrastructure (CII). In order to strengthen the responsibility for the security protection of CII, the penalties for illegal acts by critical information infrastructure operators (CIIOs) have been raised.
The third is to adjust the legal responsibility for network information security – that is, the obligations of network providers to ensure the information shared through their networks by companies and individuals does not violate China’s laws. In order to better adapt to the actual situation of network information security, the amended provisions integrate legal responsibilities for violations of network information security obligations, adjust the range of administrative penalties and prohibitions on employment, and add provisions on legal liabilities for illegal acts that are not stipulated by laws and administrative regulations.
Finally, the relevant articles of the Cybersecurity Law have been revised to be more consistent with the provisions of the PIPL and provide better protection for personal information (PI).
Below we outline the specific amendments to the Cybersecurity Law, covering the rise in fines for violations of certain provisions and the updates for consistency with other regulations.
Increased fines for violations of cybersecurity protection obligations
The amended Cybersecurity Law raises the fines for violations of over a dozen articles. Previously the headline fine for violating one of these articles was previously RMB 500,000 (US$71,360), and in one instance, up to 10-times the amount of the value of the illegal products purchased by a company. In the amended version, the headline fine is RMB 1 million (US$142,720) or up to 5 percent of the previous year’s turnover for certain serious violations.
The penalty for the individuals held directly responsible for the violations has also increased, from a maximum of RMB 100,000 (US$14,272) to RMB 1 million for certain serious violations.
The articles cover cybersecurity requirements for network operators and CIIOs, prohibitions on the use of networks, requirements for the collection, use, and handling of PI, and the responsibilities of network operators over the content posted by users.
|Raised Fines and Penalties in Amended Cybersecurity Law|
|Amended articles||Violation||Current penalty||Proposed penalty|
|59, 60, 61 and 62||Violation of Articles 21, 22 (Paragraph 1 and 2), 23, 24 (Paragraph 1), 25, 26, 28, 33, 34, 36, and 38.
Articles 21 to 28 deal with the cybersecurity requirements of ordinary network operators while articles 33 to 38 deal with the cybersecurity protection obligations of CIIOs.
|Fine of RMB 10,000 (US$1427) to RMB 100,000 or RMB 50,000 (US$7,136) to RMB 500,000 for certain violations with “serious” consequences
Fine of RMB 10,000 to 100,000 for persons held responsible.
|Fine of RMB 100,000 to RMB 1 million if a company fails or refuses to make the required corrections or if the violation is deemed serious.
Fine of RMB 1 million to RMB 5 million or 5 percent of the previous year’s turnover in cases for cases with “severe” consequences.
Fine of RMB 100,000 to RMB 1 million for the person held responsible.
|63 and 67||Violation of articles 27 and 46.
Article 27 prohibits individuals and companies from engaging in procedures or using tools that endanger cybersecurity activities. Article 46 holds individuals and organizations responsible for how they utilize the networks and prohibits them from setting up websites or communication groups for illegal and criminal activities.
|A fine of RMB 10,000 to RMB 100,000 and detention of up to five days, or a fine of RMB 50,000 to RMB 500,000 and detention of five to 15 days for serious violations (for violation of Article 46).||A fine of RMB 50,000 to RMB 500,000 and five days of detention
A fine of RMB 100,000 to RMB 1 million and five to 15 days’ detention for serious violations.
|64||Violation of Article 35, which requires the network products and services acquired by CIIOs that may affect national security to pass a national security review organized by the cybersecurity and informatization department.||A fine of one to ten times the purchase amount and a fine of RMB 10,000 to 100,000 for responsible persons.||A fine one to ten times the purchase amount or up to 5 percent of the previous year’s turnover and a fine of RMB 10,000 to RMB 100,000 for responsible persons.|
|68 and 69||Violation of Articles 47, 48, and 49, which require network operators to manage the content published and released by individuals or organizations through their networks and hold them responsible if the users publish content that is prohibited.||A fine of RMB 100,000 to RMB 500,000 and a fine of RMB 10,000 to RMB 100,000 for persons in charge.
|A fine of up to RMB 1 million and a fine of RMB 10,000 to RMB 100,000 for the persons responsible.
A fine of RMB 1 million to RMB 50 million or 5 percent of the previous year’s turnover and a fine of RMB 100,000 to RMB 1 million for the persons in charge for serious violations.
|70||Article 12, which stipulates that any individual or organization using the Internet must abide by China’s Constitution and laws abide by public order, and respect social morality. It also prohibits the use of the Internet to engage in activities that undermine China’s sovereignty, national security, and stability, such as inciting subversion of state power, overthrowing the socialist system, inciting secession, advocating terrorism, extremism, ethnic hatred, ethnic discrimination, and more.||Punished in accordance with the provisions of relevant laws and administrative regulations.||[If the relevant laws and administrative regulations do not provide for it] a fine of up to RMB 1 million and a fine of RMB 10,000 to RMB 100,000 for the responsible persons.
A fine of RMB 1 million to RMB 50 million or up to 5 percent of the previous year’s turnover and a fine of RMB 100,000 to RMB 1 million on the persons responsible for serious violations.
In addition to the above fines, companies found to be in violation of the listed articles may also be liable for other punishments. This includes suspension of relevant businesses, the shutdown of websites or other services, revoking of business licenses, and other such administrative penalties. Individuals that are held directly responsible for the violations may also be barred from taking up a senior role in the company or industry or be barred from working in the industry again if the violations are deemed particularly egregious.
Updates for consistency with other regulations
In two of the amended articles, the CAC removed clauses stipulating specific punishments for violations of certain articles of the Cybersecurity Law and instead added the sentence “punishment in accordance with relevant laws and administrative regulations.” Although the amended articles do not specify exactly which regulations or provisions the law defers to in the case of these violations of these articles, we can deduct from the type of violation which laws it is referring to.
|Articles Updated for Consistency with Other Data and Personal Information Laws|
|Updated articles||Violations||Previous penalty||Proposed penalty|
|Article 64||Violations of articles 22, paragraph 3, and 41 to 44, which deal with how network operators can handle, collect, and process PI of users.||Fine of one to ten times the illegal gains. If there are no illegal gains, a fine of up to RMB 1 million. A fine of RMB 10,000 to RMB 100,000 for persons held responsible.||Punishment in accordance with relevant laws and administrative regulations.
Possible relevant laws and regulations:
PIPL, Data Security Law
|Article 66||Violation of Article 37, which requires CIIOs to store PI and important data collected from users and subjects located in China to be stored in China.||Fine of RMB 50,000 to RMB 500,000 and a fine of RMB 10,000 to RMB 100,000 for persons held responsible.||Punishment in accordance with relevant laws and administrative regulations.
Possible relevant laws and regulations:
PIPL, and the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial).
In the case of violations of Paragraph 3 of Article 22 and Articles 41 to 42, the relevant provisions for penalties can be found in the PIPL and the Data Security Law. Violations of the PIPL can result in a fine of up to RMB 50 million (US$7.1 million) or up to 5 percent of the previous year’s turnover for serious violations. Companies may also be liable for lawsuits by consumer groups should they violate consumers’ rights.
The requirement for CIIOs to store data and PI collected from users and subjects in China within China’s borders has been stipulated in several pieces of legislation, including the PIPL (Article 36) and the Measures for the Administration of Data Security in the Field of Industrial and Information Technology sectors (Trial) (Article 21). Violating this provision of the Cybersecurity Law, under the new amendment, could therefore now lead to penalties under these laws and regulations, which include fines of up to RMB 50 million, confiscation of illegally obtained assets and income, and investigation for criminal responsibility.
What is the significance of the amendments to the China Cybersecurity Law?
The increased fines for violations of the Cybersecurity Law will give authorities more legal teeth to tackle violations and protect users’ rights. A prominent example is the recent case of Didi Chuxing, the ride-hailing giant that was fined a record US$1.2 billion for violations of China’s cyber- and data security regulations and PI protection regulations, including the Cybersecurity Law.
However, this case is likely to be an outlier due to the size of the company involved, the broad scope of violations, and the size of the fine. The majority of cybersecurity cases are likely to be among smaller companies that may not receive as much media attention, but which nonetheless have much to lose in the case of a penalty.
The latest amendments, if passed in their current form, would significantly raise the stakes for smaller companies, as the headline fines for both the companies and individuals involved have been increased. Compliance with the Cybersecurity Law, and China’s other data and PI protection regulations, will therefore only be more important than ever.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at [email protected]
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.