China's Cyber Security Law: enforcement actions are on the way

China’s new Cyber Security Law came into effect on 1 June 2017. Within a few months of its implementation, local authorities in various regions across China have taken numerous enforcement actions against businesses for violations. This client update provides a high-level review of recent cases to highlight the importance of compliance with the Cyber Security Law as well as some practical advice to businesses in China.

Based on information from an official source, 15 enforcement cases have been publicised as of 16 October 2017. In two-thirds of the cases, the punitive measures imposed were mainly warnings and orders of rectification within a certain time period (e.g. 15 days). However, in one-third of the cases, administrative fines ranging from RMB 10,000 to RMB 500,000 were imposed. The enforcement authorities include Cyberspace Administrations, Public Security Bureaux and Communications Administrations at national, provincial and municipal levels.

These enforcement actions were taken against social media platforms (e.g., Baidu Tieba), online information and purchase platforms (e.g., Taobao, 58.com), and technology companies (e.g., Alibaba Cloud) as well as various other entities. The enforcement actions mainly concern the following violations:

• failure to implement measures to prevent the dissemination of prohibited information¹ (Article 47)
• failure to verify the identity of network users and enforce the real-name registration requirement (Article 24)
• failure to conduct cyber security assessment on network products and services and take remedial measures if security defects or loopholes are found (Article 22)
• failure to conduct security assessment of information systems as required under the current five-tiered cyber security protection system (Article 21)
• failure to retain user login information and network logs (Article 21)
• failure to adopt technical measures to prevent computer virus, cyberattacks, cyber intrusions and other activities that endanger cyber security (Article 21)

The most high-profile case concerns three major social media platforms in China. On 11 August 2017, the Cyberspace Administration of China (the CAC) announced its investigations into these platforms for violation of the Cyber Security Law, accusing them of spreading prohibited information and/or failing to perform their management duties over the prohibited information posted by their users. On 25 September 2017, the local branches of the CAC in Beijing and Guangdong Province announced the violations, and the imposition of the maximum fine under Article 68 of the Cyber Security Law. Although the authorities did not specify the exact figure, the maximum fine under Article 68 is RMB 500,000; the person-in-charge or other directly responsible persons could incur a fine ranging from RMB 10,000 to RMB 100,000.

Another noteworthy case occurred in September 2017 and concerned Alibaba Cloud (Aliyun) and another four network technology companies in Guangdong Province. This is the first case in which the local communications authority (in this case, the Communication Administration of Guangdong Province) exercised its enforcement powers under the Cyber Security Law. Aside from the charges of failing to prevent the spreading of prohibited information or to implement the real-name registration requirement (which are both commonly used as the legal basis for punishment), the cloud acceleration product for the UC browser offered by one of the companies was found to have security defects resulting in the spread of prohibited information in violation of Paragraph 1 of Article 22 of the Cyber Security Law. The offending company was ordered to take immediate measures to rectify the violation and to conduct regular security assessments on its communications network as well as on any new or existing products and services.

It is worth mentioning that on 25 August 2017, an enforcement inspection group was formed under the Standing Committee of the National People's Congress (the NPC) to oversee the enforcement of the Cyber Security Law and the Decision on Strengthening Network Information Protection (the Decision) issued by the NPC Standing Committee on 28 December 2012. Six inspection teams were dispatched to carry out inspections in provinces and cities across China in September and October 2017. After the inspections are completed, a report on the enforcement of the Cyber Security Law and the Decision will be submitted to the NPC Standing Committee. This is expected to happen next month (December 2017).

The recent enforcement actions taken by Chinese authorities and the inspections conducted by the enforcement inspection group formed by the NPC Standing Committee have clearly demonstrated that the Cyber Security Law is in full force. No doubt there will be further enforcement actions in the future. Businesses should therefore take careful note of the enforcement cases and review their current policies, practices and procedures to ensure they are compliant. Businesses should pay special attention to the requirements under Article 21, 22, 24 and 47 as precedents have now been well established. As the enforcement landscape of the Cyber Security Law is evolving, we will continue to monitor the situation and provide updates on further developments.