On October 31, the Xinhua news agency reported that the Standing Committee of China’s National People’s Congress (“NPC”) is conducting the third reading of the draft Cybersecurity Law (“the Law”). NPC released two previous drafts of the Law for public comment in July 2015 and July 2016 (see Covington e-alerts here and here), but the full text of the third draft has not yet been released to the public.  This blog post summarizes key changes mentioned in the Xinhua report, which is based on the unreleased third draft.

More specific definition of “Critical Information Infrastructure” (“CII”). The latest draft restores language making specific reference to a number of key sectors such as finance, transportation, and e-government in the definition of CII. Note that such reference was removed in the second draft.  This increased specificity is, however, accompanied by broadly worded language retained from the second draft defining CII as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, the national welfare, the livelihoods of the people, or the public interest.”

While this revision may shed some light on what sectors might be covered as CII, the catch-all stipulation in the second half of the definition gives the government considerable latitude if it intends to expand the definition of CII when promulgating and enforcing the implementing regulations.

New penalties directed at foreign individuals or organizations attacking Chinese CII. The third- draft inserts language to impose penalties, such as asset freezing or other sanctions,  on foreign organizations and  individuals who launch attacks upon China’s CII. This provision adds teeth to the law as the penalties for such acts provided in the second draft (i.e., warnings, suspension of operations, revocation of licenses, fines set within a fixed range, etc.) would not have any detrimental effect on foreign organizations or  individuals.

Greater punishments for online fraud and other new forms of cybercrime. Facing increasing online fraud and new forms of cybercrime, the third draft adds a provision prohibiting individuals and organizations from establishing “websites or communication groups for carrying out fraud, passing on criminal methods, producing or selling contraband or controlled items and engaging in other illegal criminal activities” or to publish information relating to such activities online.

This provision seems to reinforce various government agencies’ ongoing efforts to combat widespread cybercrime and it increases penalties for engaging in criminal activities in the cyberspace.

Promotion of network interoperability and standardization. The third draft includes new provisions on promoting the interoperability of network infrastructures, cultivating network security talent, and supporting the formulation of network security standards.

While such additions may be welcome for the purposes of enhancing cybersecurity, they may raise concerns if interpreted narrowly to exclude foreign standards. For example, does the idea of interoperability extend beyond China’s borders to allow for cross-border interactions and participation in activities undertaken in cyberspace?  Will China adopt standards that are compatible with international ones, or seek to develop its own homegrown standards in an attempt to develop its own cyber ecosystem?  It is uncertain how the agencies will implement such provisions in practice.

New provisions addressing the online protection of minors. New provisions have been added in the third draft to provide for general principles for the protection of minors online.  These principles are intended to provide a basis for developing auxiliary laws and regulations on the subject with the objective of creating a network environment that is conducive to the healthy growth of minors.  This is in line with efforts by China’s top internet regulator, the Cyberspace Administration of China (“CAC”), which recently issued a draft regulation on the protection of minors in cyberspace.  See our note on that draft regulation here.

Given that the National People’s Congress is now conducting its third reading of the draft Law, it will likely be finalized and officially promulgated very soon. We expect other controversial provisions, such as various data localization and cross-border data transfer requirements, to remain in the final text of the law.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Yan is named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Yan is a Certified Information Privacy Professional (CIPP/Asia) by the International Association of Privacy Professionals and an active member of the American Bar Association’s Section of Antitrust Law.

Photo of Ashwin Kaja Ashwin Kaja

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices…

With over a decade of experience in China, Ashwin Kaja helps multinational companies, governments, and other clients understand and navigate the complex legal and policy landscape in the country. He plays a leading role in Covington’s China international trade and public policy practices and, outside of Covington, serves as the General Counsel of the American Chamber of Commerce in China.

Ashwin helps clients solve acute problems that arise in the course of doing business in China and position themselves for longer-term success in the country’s rapidly evolving legal and policy environment. He is an expert on Chinese industrial policy and has worked on matters related to a wide range of sectors including technology, financial services, life sciences, and the social sector. Ashwin has also counseled a range of clients on data privacy and cybersecurity-related matters.

As the General Counsel of the American Chamber of Commerce in China (AmCham China), Ashwin serves as a senior officer of the organization and as an ex officio member of its Board of Governors, supporting nearly one thousand member companies in developing their businesses in China and advocating for their needs with China’s central and local governments.