Introduction
On September 14, 2022, the Cyberspace Administration of China (the "CAC") released an exposure draft of the Decision on Amending the Cybersecurity Law of the People's Republic of China (Draft for Comment) (the "Draft"). In general, the Draft would impose more stringent legal liabilities for certain violations of the Cybersecurity Law (the "CSL") and systematically consolidate and unify penalties for violating security protection obligations relating to network operations, network information, critical information infrastructure ("CII"), and personal information. The Draft would also coordinate with the Personal Information Protection Law (the "PIPL"), the Data Security Law, and other new laws. We briefly summarize the key points of the Draft below.
Stricter legal liabilities for violating network operation security obligations
The Draft would consolidate and unify liabilities for violating various general provisions on network operation security, including security protection obligations required by the Multi-level Protection Scheme, obligations to develop and implement emergency plans for network security incidents, and obligations to provide continuous security maintenance of products and services. Compared to the current CSL, the Draft would supplement the penalties for violating Article 23, which requires security certification or security testing for critical network equipment and special cybersecurity products. Notably, liabilities for violating these provisions would be made more stringent. The Draft echoes Article 66 of the PIPL by raising the maximum fine for personal information processors to RMB 50 million or five percent of their previous year's turnover. The Draft would also raise the maximum fines for persons directly liable to up to 1 million yuan and add the penalty of prohibiting such persons from taking management or key cybersecurity protection positions.
|
Related articles
|
Liabilities under the CSL
|
Liabilities under the Draft
|
Article 21 The State adopts Multi-level Protection Scheme, under which network operators are required to perform the following obligations of security protection to ensure that the network is free from interference, disruption or unauthorized access, and prevent network data from being disclosed, stolen or tampered: 1. Formulating internal security management systems and operation instructions to determine the person in charge of cybersecurity and define accountabilities for cybersecurity; 2. Taking technical measures to prevent computer virus, network attacks, network intrusions and other activities that endanger cybersecurity; 3. Taking technical measures to monitor and record network operation and cybersecurity events, and maintaining the cyber-related logs for no less than six months as required; 4. Taking such measures as data classification, and backup and encryption of important data, etc.; and 5. Performing other obligations provided for in relevant laws and administrative regulations.
|
【Liabilities for violating network operation security】
The competent authority shall warn such operator and order it to make rectifications. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on such operator if it refuses to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 5,000 to 50,000 yuan shall be imposed on the supervisor directly in charge.
|
【Liabilities for violating network security protection】
The competent authority shall warn such operator and order it to make rectifications. A fine of up to 1 million yuan shall be imposed in case of refusal to make rectifications or severe violations, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be concurrently imposed by the competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.
For any illegal act specified in the preceding paragraph with particularly serious circumstances, the competent authority at or above the provincial level shall order it to make rectifications, and impose a fine ranging from 1 million to 50 million yuan or not more than 5% of its turnover in the previous year, and may also order it to suspend relevant business or suspend business for rectification, shutdown of website, and revocation of relevant business permit or business license; a fine ranging from 100,000 yuan to 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from taking positions of directors, supervisors, senior executives or key cybersecurity and network operation positions.
|
Article 25 Network operators shall develop an emergency plan for cybersecurity events to promptly respond to such security risks as system bug, computer virus, network attacks and intrusions. For an event that threatens cybersecurity, the operator concerned shall forthwith initiate the emergency plan, take corresponding remedial actions, and report as required such event to competent authority concerned.
|
Article 33 A critical information infrastructure shall be developed with the capacity to support the steady and continuous business operation, and technical security measures shall be planned, established and put into use simultaneously.
|
【Liabilities for CII who violates network operation security obligations】
The competent authority shall warn such operator and order it to make rectifications. A fine ranging from 100,000 yuan to 1 million yuan shall be imposed on such operator if it refuses to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge.
|
Article 34 In addition to those provided in Article 20 hereof, the operator of a critical information infrastructure shall also fulfill obligations of security protection as follows: 1. Set up a dedicated security management body and designate a person in charge, and review the security backgrounds of the said person and those in key positions; 2. Provide practitioners with regular cybersecurity education, technical training and skill assessment; 3. Make disaster recovery backup of important systems and databases; 4. Work out an emergency plan for cybersecurity events and carry out drills regularly; and 5. Perform other obligations provided for in relevant laws and administrative regulations.
|
|
Article 36 The operator of a critical information infrastructure shall, in purchase of network products and services, enter into an agreement with the product/service provider in which obligations and responsibilities of security and confidentiality shall be specified.
|
Article 38 The operator of a critical information infrastructure shall conduct, by itself or entrusting a cybersecurity service provider, examination and assessment of its cybersecurity and potential risks at least once a year, and submit the examination and assessment results as well as improvement measures to the competent authorities in charge of the security of the critical information infrastructure.
|
Article 22 Paragraph 1 & 2 Network products and services shall satisfy the mandatory requirements set forth in applicable national standards. Any provider of network products or services shall not install malwares. For any risk such as security defect or bug that is found, the provider concerned shall, as required, immediately take remedial actions, inform the users of the said risk, and report the case to the competent authority.
A provider of network products or services shall also provide consistent security maintenance for its products or services. Such maintenance shall not be discontinued within the prescribed term or the term agreed upon by the parties thereto.
|
【Liabilities for violating network product and service security obligations】
The competent authority shall give a warning and an order of rectification. A fine ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.