High penalties suggested for data breaches

Chinese lawmakers are reviewing a draft amendment to the nation's Cybersecurity Law with the aim of strengthening penalties for violations, including those that result in large-scale data breaches or partial loss of functionality of critical information infrastructure.

The draft was submitted on Monday to the ongoing session of the Standing Committee of the National People's Congress, China's top legislature, for its first reading. It marks the first revision of the Cybersecurity Law since its implementation in 2017.

According to the draft, operators of critical information infrastructure who fail to fulfill cybersecurity protection obligations as stipulated by the Cybersecurity Law, resulting in "serious" or "particularly severe" consequences for cybersecurity, could face fines ranging from 500,000 to 10 million yuan ($70,125 to $1.4 million).

These serious or particularly severe consequences include large-scale data breaches, partial loss of functionality of critical information infrastructure, or even the loss of main functions, according to the draft amendment. Additionally, if the main functions of critical information infrastructure are lost, the individuals directly responsible could face fines ranging from 200,000 to 1 million yuan. The current Cybersecurity Law does not specify these penalties.

Operators of critical information infrastructure are currently required under the law to establish dedicated institutions and personnel, conduct security background checks on key positions, perform disaster recovery backups for important systems and databases, develop emergency response plans for cybersecurity incidents, and conduct annual risk assessments.

The draft has also increased penalties for network operators who fail to take required measures against the dissemination or transmission of information prohibited by laws and regulations. Operators who do not stop such transmission, eliminate the information, or fail to keep relevant records or report to government departments will face fines ranging from 50,000 to 500,000 yuan. In the event of particularly severe impacts and consequences, fines could range from 2 million to 10 million yuan. Related business or network services may be suspended, ordered to make rectifications, or shut down, and business licenses could be revoked. Individuals directly responsible may face fines ranging from 200,000 to 1 million yuan.

The draft also stipulates that activities involving the provision or storage of personal information and "important data" overseas will be punishable under the Personal Information Protection Law and the Data Security Law.

The amendment includes a leniency provision. Network operators who proactively eliminate or mitigate the harmful consequences of their illegal activities may be eligible for reduced penalties. This also applies if violations are minor, promptly corrected, and have not caused harmful outcomes, or if there is evidence showing an absence of subjective fault.

Wang Ruihe, deputy director of the Legislative Affairs Commission of the NPC Standing Committee, explained the need for the amendment. In recent years, cybersecurity risks have become increasingly prominent, with illegal activities such as network intrusion, cyberattacks and dissemination of illegal information occurring frequently.

"It is necessary to strengthen the coordination and alignment with legislation related to the cyber domain, amend and improve the legal liability system of the Cybersecurity Law, and increase penalties for certain illegal activities," Wang said.