2022.09.22 DONG, Xiao (Marissa)、GUO,Jinghe、ZHOU.Jia、YIN,Feng
On September 14, 2022, the Cyberspace Administration of China (CAC) issued the Decision of Amending the Cybersecurity Law of the People's Republic of China (Exposure Draft) to solicit public opinion until September 29, 2022. It is one of the three major laws in China's cybersecurity and data protection legislation and will be revised for the first time since 2017.
The revisions mainly focus on legal liability in four areas: the security of network operations, the security protection of critical information infrastructure, network information security and the protection of personal information. They reflect the connection and coordination between the Data Security Law, the Personal Information Protection Law, the Administrative Penalties Law, and other newly implemented laws. The Exposure Draft aligns with the trend for continuous law enforcement in the field of cybersecurity. The main revision of opinions in the Exposure Draft are summarized as follows.
I. Improving the legal liability system for violations to the general provisions of network operation security
Article 21, Paragraph 1 and Paragraph 2 of Article 22, Article 23, Paragraph 1 of Article 24, Article 25, Article 26 and Article 28 of the Cybersecurity Law regulate the obligations to be observed by network operators, including: (1) graded systems for cybersecurity protection; (2) obligations to ensure that network products and services satisfy the mandatory requirements set forth in the applicable national standards and other duties for security protection; (3) obligations to pass the security certifications or security tests for critical network equipment and special-purpose cybersecurity products; (4) obligations to conduct real-identity authentication; (5) obligations to develop and comply with emergency plans for cybersecurity events; (6) obligations to comply with the applicable national regulations when releasing cybersecurity information such as system bugs, computer viruses, network attacks and intrusions; and (7) obligations to provide technical support and assistance to the relevant government departments in their attempts to safeguard national security and investigate crimes.
The Exposure Draft revises the penalties for violations of such provisions, including the following major changes:
1. New types of administrative penalties added for illegal conduct by network operators. These include the circulation of notices of criticism, orders to suspend the relevant business or stop its operation for rectification, the shutdown of websites, and the revocation of relevant business permits or licenses.
2. Raising the amount of fines imposed on network operators, supervisors directly in charge and other directly liable persons. Where a network operator commits any of the foregoing violations and refuses to make rectifications, the fine shall be adjusted from the original "a fine ranging from CNY 10,000 to CNY 100,000" to "a fine of not more than CNY 1 million"; and for supervisors directly in charge and other directly liable persons, the fines shall be increased from "a fine ranging from CNY 5,000 to CNY 50,000" to "a fine ranging from CNY 10,000 to CNY 100,000".
3.New penalties imposed in particularly severe circumstances. Under particularly severe circumstances, network operators shall be subject to a fine of not less than CNY 1 million but not more than CNY 50 million or less than 5% of its turnover in the previous year, and supervisors directly in charge and other directly liable persons shall be subject to a fine of not less than CNY 100,000 but not more than CNY 1 million, and may be prohibited from serving as directors, supervisors or senior executives of related enterprises or holding any key posts relating to cybersecurity and network operation for a certain period of time.
4.Penalty provisions added to articles without corresponding penalties in the Cybersecurity Law, including Article 23 and Article 28.
5.Regarding the protection of network operation security, the Exposure Draft updates the legal liability for violations of Article 27 of the Cybersecurity Law. Article 27 of the Cybersecurity Law provides that no individual or organization may engage in activities that threaten cybersecurity, such as unlawful intrusion into others' networks, interfering with the normal functions of others' networks and stealing network data, nor provide any technical support or assistance to others that are engaged in such activities. Based on the original provisions regarding legal liability, the Exposure Draft introduces punitive measures against organizations and employment restrictions against personnel engaging in the above-mentioned activities.
II. Amending the legal liability regarding the security protection of critical information infrastructure
Articles 33, 34, 36 and 38 of the Cybersecurity Law regulate the security requirements for the construction of critical information infrastructure, the security protection obligations of critical information infrastructure operators, the security and confidentiality obligations for the procurement of critical information infrastructure, and the obligations of regular security inspection and evaluation of critical information infrastructure. The Exposure Draft amends the legal liabilities for the violation of the above provisions, which are reflected in the following ways:
1.New types of administrative penalties added to the illegal activities of critical information infrastructure operators. These include the circulation of notices of criticism, orders to suspend the relevant business or stop its operation for rectification, the shutdown of websites, and the revocation of relevant business permits or licenses.
2.Abolishing the minimum fine for refusing to make rectifications. The fine amount has been adjusted from "a fine ranging from CNY 100,000 to CNY 1 million" to "less than CNY 1 million", and the lower limit of the fine is abolished.
3.Adding penalty provisions under particularly serious circumstances. The specific provisions are consistent with the aforementioned penalty provisions for network operators who violate the general provisions regarding network operation security.
4.Transmitting the penalty provisions for violating the obligations of outbound data transfers. Article 37 of the Cybersecurity Law requires that the operators of critical information infrastructure shall store the personal information and important data collected and generated during its operation within the territory of the People's Republic of China inbound. Where such information and data must be provided abroad for business purposes, security assessments shall be conducted. With respect to the legal liability for the violation of these obligations, the Exposure Draft stipulates that "punishments shall be imposed in accordance with the relevant laws and administrative regulations". Specifically, the operators of critical information infrastructure shall be punished according to Article 46 of the Data Security Law if they provide important data to overseas parties in violation of the aforesaid provisions; and if the operators provide personal information to overseas parties in violation of the aforesaid provisions, they shall be punished according to Article 66 of the Personal Information Protection Law.
III.Adjusting the legal liability for network content security
The Exposure Draft revises the penalty provisions of Article 47 to Article 49 of the Cybersecurity Law. The preceding provisions specify the obligations of network operators regarding network content security, which includes the timely deletion of illegal information published or transmitted by users, the prohibition of installing malware in the electronic information sent or the applications provided, and the establishment of network information security complaints and reporting mechanisms. The revisions to the corresponding penalty provisions in the Exposure Draft include the following:
1.Adding the administrative penalty of "circulating a notice of criticism" to network operators who violate the obligation for protecting network information security;
2.Raising the maximum fine from the original "CNY 500,000" to "CNY 1,000,000" for those who refuse to make rectifications or in severe circumstances;
3.Increasing the penalty provisions for particularly severe circumstances, which are consistent with the penalty provisions for network operators who violate the general provisions for network operation security;
4.The fines for relevant individuals and organizations have been increased in Paragraph 2, Article 12 of the Cybersecurity Law, which prohibits using networks to publish or transmit information about illegal activities, and Article 46, which prohibits the establishment of websites or online communication groups for the purpose of committing crimes or publishing illegal information.
IV. Amending the legal liability for personal information protection
The Exposure Draft revises the legal liability for violations of Paragraph 3 of Article 22 and Articles 41 to 44 of the Cybersecurity Law. These articles involve the requirements for network operators in the protection of personal information, including following the principles of lawfulness, legitimacy and necessity in the collection and use of personal information, the obligation to take necessary measures to ensure the security of personal information, and the obligation to respond to individuals' requests to delete or correct personal information. The Cybersecurity Law sets forth detailed provisions on legal liabilities for the violation of the aforesaid provisions. However, given that the Personal Information Protection Law provides a comprehensive legal liability system for the protection of personal information, in order to better connect with the Personal Information Protection Law, the Exposure Draft revises the original personal information protection legal liability into transitive provisions.
V. Summary
The Exposure Draft does not add any specific compliance obligations on network operators. Instead, it sets out stricter provisions on the legal liabilities of network operators (including critical information infrastructure operators) with respect to network operation security, network content security and personal information protection. For example, network operators shall be subject to a fine of up to 5% of the previous year's turnover and the supervisors directly in charge and other directly liable persons shall be subject to a fine of up to CNY 1 million as well as employment restrictions for a certain period, which will greatly increase the compliance risks and costs to network operators and management personnel. The above changes reflect the latest provisions of the Personal Information Protection Law and the regulatory trend indicated by law enforcement cases.
We recommend that enterprises focus on the amendments to the Cybersecurity Law and conduct compliance self-examinations based on the relevant requirements, to ensure that they perform their statutory obligations in accordance with the latest requirements.
1.CAC issued the Decision of Amending the Cybersecurity Law of the People's Republic of China (Exposure Draft), http://www.cac.gov.cn/2022-09/14/c_1664781649609823.htm
