China's New Cybersecurity Law: Enforcement Has Begun

China’s Cybersecurity Law came into force on 1 June 2017, amidst speculation that there would be a grace period of up to 31 December 2018 when it would not be enforced.  Recent state level investigations and local enforcement actions have put the issue beyond doubt. 

First State Level Investigations

On 11 August 2017, the State Cyberspace Administration of China announced that it has commenced investigations into Tencent Wechat, Sina Weibo and Baidu Tieba for violation of the Cybersecurity Law.  More particularly, the State Cyberspace Administration as well as Beijing and Guangdong Cyberspace Administrations are looking into whether these service providers have been disseminating information which violate national security, public security and social order and/or have failed to exercise their management duties over “prohibited information” disseminated by their users. “Prohibited information” includes violent or horrific contents, fake rumours, pornographic materials, and any other information which endangers national security, public security or social order.  These investigations are still ongoing. 

Local Level Enforcement Actions

At the local level, at least seven enforcement actions by local Cyberspace Administrations and local Public Security Bureaus pursuant to the Cybersecurity Law have been reported in Guangdong, Shanxi, Jiangsu, Sichuan, Hangzhou, Beijing, Tianjin and Chongqing.  These enforcement actions were against online platforms (including two online purchase platforms, an online employment information platform, a financial services platform and two online music platforms), private companies, state-owned enterprises, an employment website, as well as a teacher training and education research centre.  The enforcement actions concerned the following violations:

  • violations of security assessment requirements of information systems
  • existence of SQL injection loopholes which compromised the websites’ information security
  • failure to retain network activity logs relating to users’ login information
  • failure to implement measures in relation to dissemination of prohibited information
  • failure to implement network security measures leading to attacks from hackers
  • failure to implement real identity registration requirements
  • sales of illegal VPN tools and network accounts

The measures imposed in these local enforcement actions were mainly warnings and orders of rectification.  However, in one action a fine of RMB10,000 and RMB5,000 were imposed on the institution and its legal representative respectively, and in another, a temporary cessation of the system’s operations was ordered for investigation purposes.

Action Items

With these first reported state investigations and local enforcement actions under the Cybersecurity Law, the relevant authorities have demonstrated that the Cybersecurity Law is in full force and will be enforced.  Law firms having network operations in China should conduct an internal review to ensure their operations are compliant with all requirements of the Cybersecurity Law.  They should also make sure that their clients who may be subject to the Cybersecurity Law are aware of these developments and are compliant as well. 

Below is a checklist of seven key action items to make it easier for ensuring compliance:

  1. Prepare proper personal data protection policies and collection statements for obtaining consent for the collection, use and transfer of personal data to third parties.
  2. Implement security measures, and keep logs of network security events and user network activities of at least the past six months.
  3. Report any security incidents and risks to the government.
  4. Ensure procurement of network products and services have complied with all applicable security assessment requirements.
  5. Obtain real identity information before providing network services to users.
  6. Exercise management and supervision duties over information disseminated by users to the public.
  7. Conduct assessment on whether the relevant operations may be categorised as critical information infrastructure, and if so, implement data localisation and other security measures applicable to critical information infrastructure operations.