CN
CN
Practice Areas
Practice Areas
Overview
Overview
China Practice, Global Vision
Han Kun is a leading full-service law firm in China. Over the years, Han Kun has been widely recognized as a leader in complex cross-border and domestic transactions.
Culture, Media and Entertainment
Culture, Media and Entertainment
Comprehensive understanding of the industry and substantial experience.
Domestic and International Capital Markets
Domestic and International Capital Markets
Han Kun is a leading PRC law firm for capital markets and is recognized as an expert in the field.
Energy, Minerals and Environmental Protection
Energy, Minerals and Environmental Protection
Our team in energy (including traditional energy and new energy), minerals and environmental protection comprises more than ten experienced professionals who are graduates of top law schools both in China and abroad. They are equipped with excellent legal writing skills and are able to conduct negotiations in English, French, and other foreign languages. Our partners all have more than ten years of practice experience, specializing in energy, minerals, environmental protection industries and other related fields.
Life Sciences and Healthcare
Life Sciences and Healthcare
Specialized and dedicated team, extensive experience
Mergers and Acquisitions
Mergers and Acquisitions
Han Kun’s mergers and acquisitions practice leads the market in numerous authoritative legal rankings.
Outbound Investment
Outbound Investment
We represent clients in their overseas equity and asset acquisitions and direct investments.
View All
Professionals
Professionals
Overview
Overview
Precise and Efficient, Professional and Practical
Han Kun has more than 700 professionals located in six offices, in Beijing, Shanghai, Shenzhen, Haikou, Wuhan and Hong Kong. Our lawyers are graduates of top universities and have extensive experience as counsel to both Chinese and foreign clients in complex cross-border transactions.
Han Kun Information
Han Kun Information
Overview
Overview
Legal Mind, Business Sense
Han Kun specializes in a full range of practice areas. Combined with cutting-edge practical experience, our professionals provide clients with timely interpretation of legislative trends, legal practices, and hot legal issues.
News
News
Insights
Insights
Publications
Publications
Newsletters
Newsletters
About Han Kun
About Han Kun
Overview
Overview
We Defend Reason, Full of Passion
Han Kun has always been committed to providing clients with legal services that efficiently and practically solve their complex legal problems in a rapidly evolving legal environment. Our network of offices in Beijing, Shanghai, Shenzhen, Hong Kong, Haikou, Wuhan, Singapore and New York City provide seamless, diversified professional legal services across localities and regions to help our clients achieve their objectives and to continually meet new challenges.
Awards and Honors
Awards and Honors
Social Responsibility
Social Responsibility
Alumni
Alumni
Join Us
Join Us
Overview
Overview
Inclusive and People-oriented
Han Kun has a high-quality team of lawyers and offers compensation packages that are highly competitive in the market. Our offices are all located in first-class office buildings and boast superior office environments. We promote harmonious interpersonal relationships, an easy-going work environment, and a people-oriented corporate culture. We look forward to you joining us!
Experienced
Experienced
Campus Recruitment
Campus Recruitment
Contact Us
Contact Us
Overview
Overview
We look forward to working with you.
Han Kun imparts excellence and pursues brilliance-we are legal counsel you can count on at any time.
Return Share

A Brief Overview of the Draft Amendment to the Cybersecurity Law

2022-09-24

Authors: Kevin DUAN丨Kemeng CAI丨Jin JIN

I.  Introduction

On September 14, 2022, the Cyberspace Administration of China (the "CAC") released an exposure draft of the Decision on Amending the Cybersecurity Law of the People's Republic of China (Draft for Comment) (the "Draft").  In general, the Draft would impose more stringent legal liabilities for certain violations of the Cybersecurity Law (the "CSL") and systematically consolidate and unify penalties for violating security protection obligations relating to network operations, network information, critical information infrastructure ("CII"), and personal information.  The Draft would also coordinate with the Personal Information Protection Law (the "PIPL"), the Data Security Law, and other new laws.  We briefly summarize the key points of the Draft below.

II.  Stricter Legal Liabilities for Violating Network Operation Security Obligations

The Draft would consolidate and unify liabilities for violating various general provisions on network operation security, including security protection obligations required by the Multi-level Protection Scheme, obligations to develop and implement emergency plans for network security incidents, and obligations to provide continuous security maintenance of products and services.  Compared to the current CSL, the Draft would supplement the penalties for violating Article 23, which requires security certification or security testing for critical network equipment and special cybersecurity products.  Notably, liabilities for violating these provisions would be made more stringent.  The Draft echoes Article 66 of the PIPL by raising the maximum fine for personal information processors to RMB 50 million or five percent of their previous year's turnover.  The Draft would also raise the maximum fines for persons directly liable to up to 1 million yuan and add the penalty of prohibiting such persons from taking management or key cybersecurity protection positions.

Related Articles

Liabilities under the CSL

Liabilities under the Draft

Article 21 The State adopts Multi-level Protection Scheme, under which network operators are required to perform the following obligations of security protection to ensure that the network is free from interference, disruption or unauthorized access, and prevent network data from being disclosed, stolen or tampered: 1. Formulating internal security manage ment systems and operation instructions to determine the person in charge of cybersecurity and define accountabilities for cybersecurity; 2. Taking technical measures to prevent computer virus, network attacks, network intrusions and other activities that endanger cybersecurity; 3. Taking technical measures to monitor and record network operation and cybersecurity events, and maintaining the cyber-related logs for no less than six months as required; 4. Taking such measures as data classification, and backup and encryption of important data, etc.; and 5. Performing other obligations provided for in relevant laws and administrative regulations.

【Liabilities for violating network operation security】

The competent authority shall warn such operator and order it to make rectifications. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on such operator if it refuses to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 5,000 to 50,000 yuan shall be imposed on the supervisor directly in charge.

【Liabilities for violating network security protection】

The competent authority shall warn such operator and order it to make rectifications. A fine of up to 1 million yuan shall be imposed in case of refusal to make rectifications or severe violations, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be concurrently imposed by the competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

For any illegal act specified in the preceding paragraph with particularly serious circumstances, the competent authority at or above the provincial level shall order it to make rectifications, and impose a fine ranging from 1 million to 50 million yuan or not more than 5% of its turnover in the previous year, and may also order it to suspend relevant business or suspend business for rectification, shutdown of website, and revocation of relevant business permit or business license; a fine ranging from 100,000 yuan to 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from taking positions of directors, supervisors, senior executives or key cybersecurity and network operation positions.

Article 25 Network operators shall develop an emergency plan for cybersecurity events to promptly respond to such security risks as system bug, computer virus, network attacks and intrusions. For an event that threatens cybersecurity, the operator concerned shall forthwith initiate the emergency plan, take corresponding remedial actions, and report as required such event to competent authority concerned.

Article 33 A critical information infrastructure shall be developed with the capacity to support the steady and continuous business operation, and technical security measures shall be planned, established and put into use simultaneously.

【Liabilities for CII who violates network operation security obligations】

The competent authority shall warn such operator and order it to make rectifications. A fine ranging from 100,000 yuan to 1 million yuan shall be   imposed on such operator if it refuses to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge.

Article 34 In addition to those provided in Article 20 hereof, the   operator of a critical information infrastructure shall also fulfill obligations of security protection as follows: 1. Set up a dedicated security management body and designate a person in charge, and review the security backgrounds of the said person and those in key positions; 2. Provide practitioners with regular cybersecurity education, technical training and skill assessment; 3. Make disaster recovery backup of important systems and databases; 4. Work out an emergency plan for cybersecurity events and carry out drills regularly; and 5. Perform other obligations provided for in relevant laws and administrative regulations.

Article 36 The operator of a critical information infrastructure shall, in purchase of network products and services, enter into an agreement with the product/service provider in which obligations and responsibilities of security and confidentiality shall be specified.

Article 38 The operator of a critical information infrastructure shall conduct, by itself or entrusting a cybersecurity service provider, examination and assessment of its cybersecurity and potential risks at least once a year, and submit the examination and assessment results as well as improvement measures to the competent authorities in charge of the security of the critical information infrastructure.

Article 22 Paragraph 1 & 2 Network products and services shall   satisfy the mandatory requirements set forth in applicable national standards. Any provider of network products or services shall not install malwares. For any risk such as security defect or bug that is found, the provider concerned shall, as required, immediately take remedial actions, inform the users of the said risk, and report the case to the competent authority.

A provider of network products or services shall also provide consistent security maintenance for its products or services. Such  maintenance shall not be discontinued within the prescribed term or the term agreed upon by the parties thereto.

【Liabilities for violating network product and service security obligations】

The competent authority shall give a warning and an order of rectification. A fine ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or in case of consequential severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge.

Article 48 Paragraph 1 Electronic information sent and applications provided by any individual and organization shall be free of malwares and information that are prohibited by laws and administrative regulations from release or transmission.

Article 24 Network operators shall require the users to provide their real identity information when signing agreements or confirmations on the provision of such services as network access, domain name registration, fixed phone and mobile phone network access, or information release and instant communication. In case that a user does not provide his/her real identity information, no network operator may provide related services for the user.

【Liabilities for violating user identification obligation】

The competent authority shall order such operator to make rectifications.  A fine ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or of severe circumstance, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be imposed by competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

Article 26 Activities such as cybersecurity authentication, testing, and risk assessment, and releasing of cybersecurity information such as system bug, computer virus, network attacks and intrusions shall be carried out in compliance with applicable regulations of the State.

【Liabilities for illegally operating network service】

The competent authority shall warn such operator and order it to make rectifications. A fine of ranging from 10,000 yuan to 100,000 yuan shall be imposed in case of refusal to make rectifications or severe circumstance, and further penalties such as suspension of related business, winding up for rectification, close of website, and revocation of business license may be imposed by the competent authority. A fine ranging from 5,000 yuan to 50,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

Article 23 Under the compulsory requirements set forth in national standards, critical network equipment and special-purpose cybersecurity products shall not be sold or supplied until such equipment or product successfully passes security certification or security tests by a qualified organization. CAC shall work with departments concerned of the State Council to formulate and release a catalogue of critical network equipment and special-purpose cybersecurity products, and promote mutual recognition of security certificate and security test results for the avoidance of repeated certification and tests.

Liabilities   not stipulated

Article 28 Network operators shall provide public security organs and national security authorities with technical support and assistance in their attempts to safeguard national security and investigate into crimes.

【Liabilities for refusing to assist in maintaining national security and investigating into crimes】

Shall be warned and ordered by the competent authority to make rectifications. A fine of ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or severe violations and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

Article 27 No individual or organization may engage in activities that threaten cybersecurity such as unlawful intrusion into others' networks, interfering with the normal functions of others' network and stealing network data, provide programs or tools for such intrusions, interference or stealing, or provide any assistance such as technical support, advertisement, payment or settlement for any other person if the individual or organization is fully aware that such person engages in an activity endangering cybersecurity.

【Liabilities for threatening network security】

While not constituting a crime, it shall be subject to confiscation of illegal earnings and detention of less than 5 days by the public security authority and a fine ranging from 50,000 yuan to 500,000 yuan. Severe violation in this regard shall be subject to a detention of above 5 days but below 15 days and a fine ranging from 100,000 yuan to 1 million yuan.

Any organization the conduct mentioned in the preceding paragraph shall be subject to confiscation of illegal earnings by the public security authority and a fine ranging from 100,000 yuan to 1 million yuan. The supervisor directly in charge and other directly liable persons shall be subject to penalty prescribed in the preceding paragraph.

Any person who violates Article 27 hereof and receives public security administrative punishment shall not be allowed to hold key posts of cybersecurity and network operation for 5 years, and any such person who receives criminal punishment shall not be allowed to hold key posts of cybersecurity and network operation for his/her lifetime.

【Liabilities for causing severe damage to network security】

While not constituting a crime, it shall be subject to confiscation of illegal earnings and detention of less than 5 days by the public security authority and a fine ranging from 50,000 yuan to 500,000 yuan. Severe violation in this regard shall be subject to a detention of above 5 days but below 15 days and a fine ranging from 100,000 yuan to 1 million yuan.

Any organization the conduct mentioned in the preceding paragraph shall be subject to confiscation of illegal earnings by the public security authority and a fine ranging from 100,000 yuan to 1 million yuan. The supervisor directly in charge and other directly liable persons shall be subject to penalty prescribed in the preceding paragraph.

Any person who violates Article 27 hereof and receives public security administrative punishment shall not be allowed to hold key posts of cybersecurity and network operation for 5 years, and any such person who  receives criminal punishment shall not be allowed to hold key posts of cybersecurity and network operation for his/her lifetime.

Article 46 Any individual or organization is responsible for his/its use of network, and shall neither establish any website or online communication group for the purpose of conducting fraud, transmitting criminal methods, making or selling prohibited or controlled items, or conducting other illegal criminal activities nor utilize the network to release information involving implementation of fraud, making or sales of prohibited or controlled items, and any other illegal criminal activity.

【Liabilities for committing crimes through use of network】

If such violation does not constitute a crime, such individual or organization shall be subject to detention of less than 5 days by the public security authority and a fine ranging from 10,000 yuan to 100,000 yuan.  Severe violation in this regard shall be subject to a detention of more than 5 days but less than 15 days and a concurrent fine ranging from 50,000 yuan to 500,000 yuan. The website or online communication group involved in the violation shall be closed.

Those units with the conduct mentioned in the preceding paragraph shall be subject to a fine ranging from 100,000 yuan to 500,000 yuan by the public security authority. The supervisor directly in charge and other directly liable persons shall be subject to penalty prescribed in the preceding paragraph.

III.  Align with the PIPL on Liabilities for Violating Personal Information Rights

Prior to the effective date of the PIPL (November 1, 2021), the competent authorities mainly imposed administrative penalties for violations of personal information rights based on provisions in the CSL. Naturally, after the PIPL came into force, liabilities related to personal information protection in the CSL should be consistent with the PIPL to avoid any conflict in their application.  The Draft would replace the penalty provisions in the current CSL on violating personal information rights with provisions that refer to the PIPL and other applicable laws and administrative regulations.  On the one hand, the Draft retains the penalties that conform to related provisions of the PIPL.  On the other hand, compared to the current CSL, the Draft would toughen legal liabilities for violations of personal information rights.

Related Articles

Liabilities under the CSL

Liabilities under the Draft

Article 22 Paragraph 3 A provider of network products or services shall expressly notify and obtain consent of the users if the products or services collect user information; and if personal information of users are involved, the provider shall also comply with provisions of the present Law and the relevant laws and administrative regulations governing protection of personal information.

【Liabilities for violating personal information rights】

The competent authority shall order such operator or provider to make   rectification and such operator or provider may be subject to one or   combination of the following actions, depending on the severity of the   circumstance: warning, confiscation of illegal earnings, a fine equivalent to  more than 1 but less than 10 times the illegal earnings, or a fine less than 1million yuan and the supervisor directly in charge and other directly liable persons subject to a fine ranging from 10,000 yuan to 100,000 yuan if there is no illegal earnings. In case of severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and revocation of business license of such operator or provider.

【Liabilities for violating personal information rights】

Shall be subject to penalties pursuant to applicable laws and administrative regulations.

Article 41 Network operators shall abide by the "lawful,   justifiable and necessary" principles to collect and use personal information by announcing rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected.

No network operator may collect any personal information that is not   related to the services it provides. It shall collect and use, and process and store personal the information in the light of laws and administrative   regulations and agreement with the users.

Article 42 No network operator may disclose, tamper with or destroy personal information that it has collected, or disclose such information to others without prior consent of the person whose personal information has been collected, unless such information has been processed to prevent specific person from being identified and such information from being restored. .

A network operator shall take technical and other necessary measures to ensure the security of personal information it collects, and to protect such information from disclosure, damage or loss. In case of disclosure,  damage or loss of, or possible disclosure, damage or loss of such information, the network operator shall take immediate remedies, notify the users in accordance with the relevant provisions, and report to competent  authority.

Article 43 Each individual is entitled to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.

Article 44 No individual or organization may steal or otherwise unlawfully obtain any personal information, or sell or unlawfully provide any personal information to others.

【Liabilities for violating personal information rights】

While not constituting a crime, it shall be subject to confiscation of illegal earnings by the public security authority and a concurrent fine equivalent to more than 1 but less than 10 times the illegal earnings or a fine less than 1 million yuan if there is no illegal earnings.

IV.  Impose Stricter Legal Liabilities for Violating CII Security Protection Obligations

For violations of national security review requirements for procurement by CII operators, the Draft would also raise the maximum fines to five percent of the violator’s previous year's turnover.  For violations of data localization and data export requirements for CII operators, the Draft refers to Article 46 of Data Security Law and Article 66 of the PIPL, both of which impose stricter legal liabilities on CII operators.

Related Articles

Liabilities under the CSL

Liabilities under the Draft

Article 35 Any purchase of network products and services by the operator of critical information infrastructure that may threaten the national security is subject to the national security review conducted by the CAC together with competent departments of the State Council.

【Liabilities for violating national security review   requirement for CII procurement】

Shall be ordered by the competent authority to stop such use and shall be subject to a fine equivalent to more than 1 but less than 10 times the purchase price, and the supervisor directly in charge and other directly liable persons shall be subject to a fine of ranging from 10,000 yuan to   100,000 yuan.

【Liabilities for violating national security review requirement for CII procurement】

Shall be ordered by the competent authority to stop such use and shall be subject to a fine equivalent to more than 1 but less than 10 times the purchase price or not more than 5% of its turnover of the previous year, and the supervisor directly in charge and other directly liable persons shall be subject to a fine of ranging from 10,000 yuan to 100,000 yuan.

Article 37 The operator of a critical information infrastructure shall store within the territory of the People's Republic of China personal information and important data collected and generated during its operation within the territory of the People's Republic of China. Where such information and data  have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations, in which such laws and administrative regulations shall prevail.

【Liabilities for violating CII data storage and export requirement】

Shall be warned and ordered by the competent authority to make rectifications, and shall be subject to confiscation of illegal earnings and a fine ranging from 50,000 yuan to 500,000 yuan, and may be subject to suspension of related business, winding up for rectification, shutdown of website, and revocation of business license, and the supervisor directly in charge and other directly liable persons shall be subject to a fine ranging   from 10,000 yuan to 100,000 yuan.

【Liabilities for violating CII data storage and export requirement】

Shall be subject to penalties pursuant to applicable laws and administrative regulations.

V.  Integrate Liabilities For Violating Network Information Security Obligations

The Draft integrates liabilities for violating network information security obligations, including user information governance, security management, and the establishment of network information security complaint and reporting systems.  Similar to the aforementioned sections, the Draft raises the maximum fine to 50 million yuan or five percent of the violator's previous year's turnover and adds a prohibition on directly liable persons from taking management or key cybersecurity protection positions.

Related Articles

Liabilities under the CSL

Liabilities under the Draft

Article 48 Paragraph 1 Electronic information sent and applications provided by any individual and organization shall be free of malwares and information that are prohibited by laws and administrative regulations from release or transmission.

【Liabilities for providing malicious  programs in the network】

The competent authority shall give a warning and an order of rectification. A fine ranging from 50,000 yuan to 500,000 yuan shall be imposed in case of refusal to make rectifications or in case of consequential  severe damage to the network, and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge.

【Liabilities for violating information security   management obligations】

The competent authority shall warn such operator and order it to make rectifications, and shall confiscate its illegal earnings. A fine up to 1 million yuan shall be imposed in case of refusal to make rectifications or  severe violations, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be concurrently imposed by the competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

For any illegal act specified in the preceding paragraph with particularly serious circumstances, the competent authority at or above the provincial level shall order it to make rectifications, and impose a fine ranging from 1 million to 50 million yuan or not more than 5% of its turnover of the previous year, and may also order it to  suspend relevant business or suspend business for rectification, shutdown of website, and revocation of relevant business permit or business license; a fine ranging from 100,000 yuan to 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives or holding key posts of cybersecurity and network operation.

Article 47 A network operator shall strengthen the management of the information released by its users. If it founds any information that is   prohibited by laws and administrative regulations from release or  transmission, it shall immediately cease transmission of such information, and take measures such as deletion to prevent dissemination of such  information. The operator shall also keep relevant record, and report the case to the competent authority.

【Liabilities for violating information security management obligations】

The competent authority shall warn such operator and order it to make rectifications, and shall confiscate its illegal earnings. A fine of ranging from100,000 yuan to 500,000 yuan shall be imposed in case of refusal to make  rectifications or severe violations, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and revocation of business license may be concurrently imposed by the competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

Article 48 Paragraph 2 Providers of electronic information transmission service and application download service shall assume the obligations of security management. If any such provider becomes aware that   its user engages in any act mentioned in the preceding paragraph, such provider shall immediately stop providing such service, take measures such as deletion, keep the record, and report to competent authority.

Article 49 A network operator shall establish network information security complaint and reporting mechanisms, and shall release the complaint and reporting channels to promptly accept and settle complaints and reports concerning network information security.

Network operators shall cooperate with the Cyberspace administration and any other competent authority in their lawful inspections and supervisions.

【Liabilities for hindering enforcement of competent authorities】

Shall be warned and ordered by the competent authority to make rectifications. A fine of ranging from 50,000 yuan to 500,000 yuan shall be   imposed in case of refusal to make rectifications or severe violations and a fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor  directly in charge and other directly liable persons.

Article 12 Paragraph 2 Individuals and organizations using the network   shall comply with the Constitution and laws, follow the public order, and show respect for social moralities, and shall neither impair cybersecurity   nor engage in activities, by making use of the network, that endanger national security, honor and interests, incite subversion of the state power   or overthrow of the socialist system, incite splitting of the country, undermine national unity, advocate terrorism and extremism, ethnic hatred and  discrimination, spread violent and pornographic information, fabricate and disseminate false information to disrupt economic and social orders, or  infringe upon the reputation, privacy, intellectual property and other legitimate rights and interests of others.

【Liabilities for release or transmission of   prohibited information】

Shall be subject to penalties pursuant to applicable laws and administrative regulations.

【Liabilities for release or transmission of prohibited information】

Shall be subject to penalties pursuant to applicable laws and administrative regulations.

Where there are no provisions on such cases, the competent authority shall warn such operator and order it to make rectifications, and shall confiscate its illegal earnings. A fine up to 1 million yuan shall be imposed in case of refusal to make rectifications or severe violations, and further penalties such as suspension of related business, winding up for rectification, shutdown of website, and   revocation of business license may be concurrently imposed by the competent authority. A fine ranging from 10,000 yuan to 100,000 yuan shall be imposed on the supervisor directly in charge and other directly liable persons.

For any illegal act specified in the preceding paragraph with particularly serious circumstances, the competent authority at or above the provincial level shall order it to make rectifications, and impose a fine ranging from 1 million to 50 million yuan or not more than 5% of its turnover of the previous year, and may also order it to  suspend relevant business or suspend business for rectification, shutdown of website, and revocation of relevant business permit or business license; a fine ranging from 100,000 yuan to 1 million yuan shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives or holding key posts of cybersecurity and network operation.

VI.  Conclusion

The Draft mainly focuses on imposing stricter liabilities for violations of the CSL and conforming to the PIPL on the maximum penalties of both the company and persons directly liable, thereby reflecting China's strong attitude toward cybersecurity protection.  The Draft is currently open for public comments and there remains significant time before it may enter into force.  Therefore, parties who engage in network operations should continue to actively fulfill their obligations relating to network operation security, network information security, and personal information protection, and monitor this and other legislative developments.

 

Important Announcement

This Legal Commentary has been prepared for clients and professional associates of Han Kun Law Offices.  Whilst every effort has been made to ensure accuracy, no responsibility can be accepted for errors and omissions, however caused.    The information contained in this publication should not be relied on  as legal advice and should not be regarded as a substitute for detailed advice in individual cases.

If you have any questions regarding this publication, please contact:

Kevin DUAN

Tel:         +86  10 8516 4123

Email:   kevin.duan@hankunlaw.com

Kemeng CAI

Tel:         +86 10 8516 4289

Email:   kemeng.cai@hankunlaw.com


PDF Download
Han Kun
Send regular emails covering market and industry trends.
Subscribe
Practice Areas Professionals Han Kun Information About Han Kun Join Us Contact Us
Beijing
9/F, Office Tower C1, Oriental Plaza, 1 East Chang An Ave., Dongcheng District, Beijing 100738, PRC
Phone:+86 10 8525 5500
Fax:+86 10 8525 5511/5522
Email:beijing@hankunlaw.com
Shanghai
33/F, HKRI Center Two, HKRI Taikoo Hui, 288 Shimen Road (No. 1), Jing'an District, Shanghai 200041, PRC
Phone:+86 21 6080 0909
Fax:+86 21 6080 0999
Email:shanghai@hankunlaw.com
Shenzhen
20/F, Kerry Plaza Tower 3, 1-1 Zhongxinsi Road, Futian District, Shenzhen 518048, Guangdong, PRC
Phone:+86 755 3680 6500
Fax:+86 755 3680 6599
Email:shenzhen@hankunlaw.com
Hong Kong
Rooms 4301-10, 43/F, Gloucester Tower, The Landmark, 15 Queen's Road Central, Hong Kong SAR, PRC
Phone:+852 2820 5600
Fax:+852 2820 5611
Email:hongkong@hankunlaw.com
Haikou
Room 1903, The Form Plaza Tower A, 105 Binhai Road, Longhua District, Haikou 570100, Hainan, PRC
Phone:+86 898 3665 5000
Fax:+86 898 3665 5011
Email:haikou@hankunlaw.com
Wuhan
Room 3107-18, Chicony Center, 10 Luoyu Road, Hongshan District, Wuhan 430070, Hubei, PRC
Phone:+86 27 5937 6200
Fax:+86 27 5937 6211
Email:wuhan@hankunlaw.com
Singapore
1 Raffles Place #53-00, One Raffles Place Tower 1, Singapore 048616
Phone:+65 6013 2999
Fax:+65 6013 2998
Email:singapore@hankunlaw.com
New York
Han Kun LLP
620 Fifth Avenue, 2nd Floor, Rockefeller Center, New York, NY 10020, USA
Phone:+1 646 849 2888
Email:newyork@us.hankunlaw.com
Disclaimer Privacy Policy
京ICP备07502885号-1
Copyright ⓒ 2024 Han Kun Law Offices All Rights Reserved. Powered by Minethink