China plans to increases fines for data breaches

Chinese lawmakers are reviewing a draft amendment to the nation's Cybersecurity Law that aims to strengthen penalties for violations, including those that result in large-scale data breaches and the partial loss of functionality of critical information infrastructure.

The draft was submitted on Monday to the ongoing session of the Standing Committee of the National People's Congress, China's national legislature, for its first reading, marking the first revision of the Cybersecurity Law since it was implemented in 2017.

Under the draft amendment, operators of critical information infrastructure who fail to fulfill cybersecurity protection obligations as stipulated by the law, resulting in "serious" or "particularly severe" consequences for cybersecurity, could face fines ranging from 500,000 to 10 million yuan ($70,125 to 1.4 million).

These serious or particularly severe consequences include large-scale data breaches, partial loss of functionality of critical information infrastructure, or even the loss of main functions, according to the draft.

Additionally, if the main functions of critical information infrastructure are lost, the directly responsible individuals could face fines ranging from 200,000 to 1 million yuan. The current Cybersecurity Law does not specify these penalties.

Under the current law, operators of critical information infrastructure are required to establish dedicated institutions and personnel, conduct security background checks on those responsible and on key positions, perform disaster recovery backups for important systems and databases, develop emergency response plans for cybersecurity incidents, and conduct annual risk assessments.

The draft also increases penalties for network operators who fail to take required measures against the dissemination or transmission of information prohibited by laws and regulations. If these operators do not stop the transmission, eliminate the information, or fail to keep relevant records or report to government departments, they will face fines ranging from 50,000 to 500,000 yuan.

If particularly severe impacts result from their actions, they could be fined 2 million to 10 million yuan. Their related business or network services can be suspended, ordered to make rectifications, or be shut down, and their business licenses may be revoked, according to the draft. Directly responsible individuals may face fines ranging from 200,000 to 1 million yuan.

The draft also stipulates that activities involving the provision or storage of personal information and "important data" overseas will be punished in accordance with the Personal Information Protection Law and the Data Security Law.