AI support at heart of cybersecurity revision

China's newly revised Cybersecurity Law, passed on Tuesday by national legislators, will take effect on Jan 1, spelling out national support for basic artificial intelligence research and development while strengthening penalties for violations.

The amended law was approved at the 18th session of the Standing Committee of the 14th National People's Congress in Beijing on Tuesday.

A newly added article states that the country supports basic theoretical research in AI and the development of key technologies such as algorithms. It also promotes the construction of infrastructure, including training data resources and computing power.

The revision also calls for improving AI ethics rules; strengthening risk monitoring, assessment and safety oversight; and promoting the application and sound development of AI. Additionally, the law encourages innovative cybersecurity management, including the use of AI and other new technologies, to raise protection levels.

An official with the NPC Standing Committee's Legislative Affairs Commission said in a written reply to reporters on Tuesday that the new AI-related provisions "actively responded to" practical needs in AI governance and development.

The newly revised law has also strengthened penalties for violations, particularly those resulting in large-scale data breaches or loss of functionality of critical information infrastructure.

Operators of critical information infrastructure who fail to fulfill cybersecurity protection obligations, resulting in "serious" or "particularly severe" consequences, could face fines ranging from 500,000 to 10 million yuan ($70,125 to $1.4 million).

These consequences include large-scale data breaches, partial loss of functionality of critical information infrastructure, or even the loss of main functions, according to the amendment. If the main functions of critical information infrastructure are lost, the individuals directly responsible could face fines ranging from 200,000 to 1 million yuan. The previous version of the Cybersecurity Law did not specify these penalties.

The amended law also imposed stricter penalties for network operators who fail to take required measures against the dissemination or transmission of information prohibited by laws and regulations. Operators who do not stop such transmissions, eliminate the information or fail to keep relevant records or report to government departments will face fines ranging from 50,000 to 500,000 yuan.

In the event of "particularly severe" consequences, fines could range from 2 million to 10 million yuan. Related business or network services may be suspended, ordered to make rectifications or shut down, and business licenses could be revoked. Individuals directly responsible may face fines ranging from 200,000 to 1 million yuan.

China's Cybersecurity Law was first enacted in 2016. The review this month was its second, with its first round of review conducted in September.

The NPC official said that as a foundational statute for the cybersecurity field, the law has set systems for network operation security, security of network products and services, protection of critical information infrastructure and online information security.

Since its implementation in 2017, the law has "strongly" curbed activities harmful to cybersecurity, resulting in an increasingly clear cyberspace, the official said. However, illegal actions such as network intrusions, cyberattacks and the spread of illegal content repeatedly occur, underscoring the difficulty of the task in safeguarding cybersecurity, the official added.

The new amendments refined liabilities for acts harming network operation security, product and service security, and information security, according to the written reply. They also enhanced coordination with the Data Security Law and the Personal Information Protection Law to improve the law's precision, effectiveness and consistency, it said.