Effective since 1 June 2017, the Cybersecurity Law (CSL) was the first national legislation in China to comprehensively regulate the country’s cybersecurity and network protection. It was followed in 2021 by two other major data laws, i.e., the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). On 12 September 2022, the Cyberspace Administration of China (CAC) released a draft Decision on Amending the Cybersecurity Law (Draft Amendment) for public consultation, aiming to enhance this key data law’s legal liability system and align it with that under the PIPL.
Higher fines for breach of cybersecurity protection obligations
A key proposal in the Draft Amendment is to substantially increase the fines attaching to some violations under the CSL.
For severe misconduct, maximum fines for organisations would jump from RMB 1 million to RMB 50 million or 5% of an organisation’s previous year’s turnover, and from RMB 100,000 to RMB 1 million for directly responsible individuals. The in-scope violations would include:
- severe violations of cybersecurity protection obligations or severely harming the security of network operation;
- failure to protect cyber information security, to take measures to suspend transfers of or delete information that is prohibited from distribution, or to take action against relatively major security risks or security incidents; and
- distributing or transferring prohibited information.
In respect of the use by a critical information infrastructure operator (CIIO) of network products or services that have not been assessed or have failed a security assessment, the CIIO may be subject to a fine of up to ten times the procurement amount or 5% of its previous year’s turnover, with a penalty of up to RMB 100,000 being imposed on directly responsible individuals.
Violations relating to personal information protection or data security, including for example illegal storage or provision of network data by a CIIO, may be subject to penalties under the PIPL and/or the DSL where appropriate.
Additional categories of administrative penalties beyond monetary fines
Apart from higher fines, the Draft Amendment also introduces into the CSL additional penalty types. If enacted in the current form, these sanctions could have a broader adverse impact on an organisation’s business operations, including:
- as applicable to an organisation: an order of rectification, an official warning or public reprimand, confiscation of income derived from the misconduct, suspension or termination of the relevant services, termination of the organisation’s business operation, shutdown of its website(s), or revocation of its regulatory or business licence(s);
- as applicable to a directly responsible individual: a prohibition from acting as a director, supervisor or senior manager of the relevant organisation or working in key positions of network security management and network operation for a certain period.
Although these administrative penalties appear to be largely in line with those under the PIPL, it is worth mentioning that “public reprimand” would be a new sanction to plug a gap in the CAC’s armory, echoing the reform of the Administrative Penalty Law in 2021 and the current enforcement practice of many Chinese regulators.
Considering the potential reputational and associated risks when a business is public censured for its misconduct, businesses’ cyber and data compliance programmes (including relevant contingency planning) will need to be better coordinated between legal, operational, technical and public/government relations functions to avoid receiving this sanction in practice.
Our observations
The Draft Amendment would significantly enhance the CAC’s sanction menu under the CSL. While the market may generally perceive the CAC as a lawmaker that formulates the high-level framework governing China’s cyberspace, with the recent financial penalties handed down in July, the set-up of cyber law enforcement and supervision bureau announced in August, another recent set of draft provisions to enhance the CAC’s administrative law enforcement power, and now these proposals in September, the CAC seems to be shifting its legislative objective and moving into a new phase. Businesses must - if they have not done so already - be prepared for the consequences.
The Draft Amendment is open to public feedback until 29 September 2022. If you would like to submit your comments to the CAC through us, feel free to contact us.