China’s cyber regulator – the Cyberspace Administration of China (CAC) – released the draft Provisions on the Administrative Law Enforcement Procedures of the Cyberspace Administration Departments (Draft Provisions) on 8 September 2022.

Part of CAC’s effort to enhance its law enforcement powers in the areas of cybersecurity, data security and personal information protection, tech and other businesses should monitor the development of the Draft Provisions, as the final provisions would apply to administrative enforcement in these increasingly fundamental aspects of modern commerce.

Below are some highlights:

1. Enhanced law enhancement team

Many market observers have the impression that the CAC lacks sufficient resources to properly enforce its growing web of rules. However, as reported in a recent press conference, the CAC has now established its Network Law Enforcement and Supervision Bureau to strengthen in this area. The new bureau is likely to be the key division within the CAC and tasked with exercising the enforcement powers stipulated in the Draft Provisions, including bringing cases against infringing parties, undertaking investigations and evidence collection, conducting hearings and interviews, deciding upon and serving administrative penalties and so on.

2. Expanded legal basis for CAC law enforcement

The Draft Provisions are not a brand-new set of rules. Their predecessor is the 2017 Provisions on the Administrative Law Enforcement Procedures for the Administration of Internet-based Information Content.

As we can see from the name, the 2017 provisions focus on the regulation of online content, while the Draft Provisions extend the legal basis for the CAC to impose administrative penalties on violations relating to cybersecurity, data security and personal information protection.

3. Strengthened means of enforcement

The Draft Provisions provide that, where evidence is likely to be destroyed or lost, or may be difficult to obtain in the future, cyberspace administration departments may retain the computers, servers, hard disks, removable storage devices, memory cards and other materials involved in a case. Upon internal approval, the CAC can also seal up facilities and detain evidence when handling a personal information protection case.

The Draft Provisions therefore propose a significant increase in the CAC’s powers from those granted in 2017. Assuming these powers become a reality, businesses’ contingency planning for investigations by the CAC will need to consider practical responses to the potential implications of such action on their operations.

4. Technical and procedural details

In comparison with the 2017 provisions, the Draft Provisions include details about the procedures by which cyberspace administration departments may exercise their administrative powers. These additions include restrictions on applying duplicate penalties to the same infringement, guardrails for hearing procedures, time limits for general administrative procedures but extension powers for major and complicated cases, and enforcement and penalty protocols.

The Draft Provisions also stipulate the rights of the parties concerned to apply for administrative reconsideration and file an administrative lawsuit. Given that administrative penalties relating to breaches of cybersecurity and data laws have the potential to be significant (namely up to RMB 50m or 5% of the company's annual revenue), it may only be a matter of time before specialist practitioners emerge who understand the procedural intricacies of defending tech and other businesses in those cases.

The public consultation of the Draft Provisions ends on 8 October. Please let us know if you want to raise your voice via us to this important piece of CAC regulation.