On October 31, the Xinhua news agency reported that the Standing Committee of China’s National People’s Congress (“NPC”) is conducting the third reading of the draft Cybersecurity Law (“the Law”). NPC released two previous drafts of the Law for public comment in July 2015 and July 2016 (see Covington e-alerts here and here), but the full text of the third draft has not yet been released to the public.  This blog post summarizes key changes mentioned in the Xinhua report, which is based on the unreleased third draft.

More specific definition of “Critical Information Infrastructure” (“CII”). The latest draft restores language making specific reference to a number of key sectors such as finance, transportation, and e-government in the definition of CII. Note that such reference was removed in the second draft.  This increased specificity is, however, accompanied by broadly worded language retained from the second draft defining CII as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, the national welfare, the livelihoods of the people, or the public interest.”

While this revision may shed some light on what sectors might be covered as CII, the catch-all stipulation in the second half of the definition gives the government considerable latitude if it intends to expand the definition of CII when promulgating and enforcing the implementing regulations.

New penalties directed at foreign individuals or organizations attacking Chinese CII. The third- draft inserts language to impose penalties, such as asset freezing or other sanctions,  on foreign organizations and  individuals who launch attacks upon China’s CII. This provision adds teeth to the law as the penalties for such acts provided in the second draft (i.e., warnings, suspension of operations, revocation of licenses, fines set within a fixed range, etc.) would not have any detrimental effect on foreign organizations or  individuals.

Greater punishments for online fraud and other new forms of cybercrime. Facing increasing online fraud and new forms of cybercrime, the third draft adds a provision prohibiting individuals and organizations from establishing “websites or communication groups for carrying out fraud, passing on criminal methods, producing or selling contraband or controlled items and engaging in other illegal criminal activities” or to publish information relating to such activities online.

This provision seems to reinforce various government agencies’ ongoing efforts to combat widespread cybercrime and it increases penalties for engaging in criminal activities in the cyberspace.

Promotion of network interoperability and standardization. The third draft includes new provisions on promoting the interoperability of network infrastructures, cultivating network security talent, and supporting the formulation of network security standards.

While such additions may be welcome for the purposes of enhancing cybersecurity, they may raise concerns if interpreted narrowly to exclude foreign standards. For example, does the idea of interoperability extend beyond China’s borders to allow for cross-border interactions and participation in activities undertaken in cyberspace?  Will China adopt standards that are compatible with international ones, or seek to develop its own homegrown standards in an attempt to develop its own cyber ecosystem?  It is uncertain how the agencies will implement such provisions in practice.

New provisions addressing the online protection of minors. New provisions have been added in the third draft to provide for general principles for the protection of minors online.  These principles are intended to provide a basis for developing auxiliary laws and regulations on the subject with the objective of creating a network environment that is conducive to the healthy growth of minors.  This is in line with efforts by China’s top internet regulator, the Cyberspace Administration of China (“CAC”), which recently issued a draft regulation on the protection of minors in cyberspace.  See our note on that draft regulation here.

Given that the National People’s Congress is now conducting its third reading of the draft Law, it will likely be finalized and officially promulgated very soon. We expect other controversial provisions, such as various data localization and cross-border data transfer requirements, to remain in the final text of the law.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Ashwin Kaja Ashwin Kaja

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices…

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices and, outside of Covington, serves as the General Counsel of the American Chamber of Commerce in China.

Ashwin helps clients solve acute problems that arise in the course of doing business in China and position themselves for longer-term success in the country’s rapidly evolving legal and policy environment. He is an expert on Chinese industrial policy and has worked on matters related to a wide range of sectors including technology, financial services, life sciences, and the social sector. Ashwin has also counseled a range of clients on data privacy and cybersecurity-related matters.

As the General Counsel of the American Chamber of Commerce in China (AmCham China), Ashwin serves as a senior officer of the organization and as an ex officio member of its Board of Governors, supporting nearly one thousand member companies in developing their businesses in China and advocating for their needs with China’s central and local governments.