On 14th September, the Cyberspace Administration of China (CAC) released the Notice on Soliciting Public Opinions on the Cybersecurity Law (Draft for Comment) (hereinafter referred to as the Draft). Since the enforcement of the current Cybersecurity Law in 2017, greater risks from cyberattacks combined with insufficient punishment for non-compliance, have emerged and created controversy: its capacity to deter attacks and safeguard national cybersecurity has been questioned. In this context, China’s government initiated the revision of the Cybersecurity Law, mostly aimed at optimizing its legal liability system.

The following is a summary of the main changes introduced by the Draft and impacting overseas stakeholders.

  1. Increasing, in the general provisions of the legal liability system, the severity of punishment for non-compliance. Based on the fact that the old penalty rules are not intimidating enough for large internet companies, the new Draft introduces adjustments enabling law enforcement bodies to impose more severe punishment. The increase of severity is reflecting in:
  • addition of new types of administrative punishment – the amount of the fine might be linked to the turnover of the company
  • cancellation of the upper limit of the fine – which can now exceed 1 million RMB
  • prohibition for relevant personnel from working in relevant areas or taking relevant positions if necessary.

Meanwhile, the adjustment rouses controversy as well in terms of its feasibility:

  • Large discretion. The decision on the type and degree of the fine totally depends on the seriousness of the circumstances, which leaves too much discretion for the law enforcers to decide on the final punishment.
  • Lack of the principle of “no penalty for compliance”. The draft does not apply such principle in its newly-added and revised articles. Without it, those actors that comply with the law may be punished for unexpected cybersecurity incidents.
  • Unclear definition of certain types of personnel that are hold accountable, which could potentially result in improper punishment. The most obvious example is the “directly responsible personnel” and “personnel in key positions of network operation”. For instance, one entity may appoint one figure as directly responsible for network security, yet without granting real authority: this is in fact a loophole that could be potentially exploited.
  1. Optimising, in the provisions relating to critical information infrastructure (CII) protection and cyberspace information security protection, the penalties for non-compliance. These adjustments are largely aimed at offering better protection for CII and cyberspace information.
  2. Adding reference to other existing laws, mainly the Personal Information Protection Law, for addressing non-compliance cases of personal information protection, with the purpose of avoiding overlaps and maintain the consistency of the legal system.

In general, the major adjustments in the Draft are about the legal consequences and severity of the punishment. Such adjustments require foreign stakeholders to increase their attention towards cybersecurity issues of their products and services. No adjustments took place in the articles related to specific cybersecurity requirements. Yet, the most problematic issue for foreign stakeholders is the absence of the principle of “No Penalty for Compliance”: without this principle, compliant companies might be fined for unexpected cybersecurity incidents. It is not clear if the final draft of the revised Cybersecurity Law will incorporate this principle. Finally, foreign stakeholders should also pay attention to the clarification in the final draft about the turnover – whether it refers to turnover generated in China, or global turnover.

Essentially, compared with the law currently in force, the Draft allows much more severe punishment without upper limit, which may constitute a better deterrent. However, large discretion together with other defective arrangements in the draft might also leave space for abuse of power by law enforcers.