September 19, 2020

Volume X, Number 263

September 18, 2020

Subscribe to Latest Legal News and Analysis

September 17, 2020

Subscribe to Latest Legal News and Analysis

September 16, 2020

Subscribe to Latest Legal News and Analysis

China Conducts Third Reading of Draft Cybersecurity Law

On October 31, the Xinhua news agency reported that the Standing Committee of China’s National People’s Congress (“NPC”) is conducting the third reading of the draft Cybersecurity Law (“the Law”). NPC released two previous drafts of the Law for public comment in July 2015 and July 2016, but the full text of the third draft has not yet been released to the public.  This blog post summarizes key changes mentioned in the Xinhua report, which is based on the unreleased third draft.

More specific definition of “Critical Information Infrastructure” (“CII”). The latest draft restores language making specific reference to a number of key sectors such as finance, transportation, and e-government in the definition of CII. Note that such reference was removed in the second draft.  This increased specificity is, however, accompanied by broadly worded language retained from the second draft defining CII as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, the national welfare, the livelihoods of the people, or the public interest.”

While this revision may shed some light on what sectors might be covered as CII, the catch-all stipulation in the second half of the definition gives the government considerable latitude if it intends to expand the definition of CII when promulgating and enforcing the implementing regulations.

New penalties directed at foreign individuals or organizations attacking Chinese CII. The third- draft inserts language to impose penalties, such as asset frozon or other sanctions,  on foreign organizations and  individuals who launch attacks upon China’s CII. This provision adds teeth to the law as the penalties for such acts provided in the second draft (i.e., warnings, suspension of operations, revocation of licenses, fines set within a fixed range, etc.) would not have any detrimental effect on foreign organizations or  individuals.

Greater punishments for online fraud and other new forms of cybercrime. Facing increasing online fraud and new forms of cybercrime, the third draft adds a provision prohibiting individuals and organizations from establishing “websites or communication groups for carrying out fraud, passing on criminal methods, producing or selling contraband or controlled items and engaging in other illegal criminal activities” or to publish information relating to such activities online.

This provision seems to reinforce various government agencies’ ongoing efforts to combat widespread cybercrime and it increases penalties for engaging in criminal activities in the cyberspace.

Promotion of network interoperability and standardization. The third draft includes new provisions on promoting the interoperability of network infrastructures, cultivating network security talent, and supporting the formulation of network security standards.

While such additions may be welcome for the purposes of enhancing cybersecurity, they may raise concerns if interpreted narrowly to exclude foreign standards. For example, does the idea of interoperability extend beyond China’s borders to allow for cross-border interactions and participation in activities undertaken in cyberspace?  Will China adopt standards that are compatible with international ones, or seek to develop its own homegrown standards in an attempt to develop its own cyber ecosystem?  It is uncertain how the agencies will implement such provisions in practice.

New provisions addressing the online protection of minors. New provisions have been added in the third draft to provide for general principles for the protection of minors online.  These principles are intended to provide a basis for developing auxiliary laws and regulations on the subject with the objective of creating a network environment that is conducive to the healthy growth of minors.  This is in line with efforts by China’s top internet regulator, the Cyberspace Administration of China (“CAC”), which recently issued a draft regulation on the protection of minors in cyberspace. 

Given that the National People’s Congress is now conducting its third reading of the draft Law, it will likely be finalized and officially promulgated very soon. We expect other controversial provisions, such as various data localization and cross-border data transfer requirements, to remain in the final text of the law.

© 2020 Covington & Burling LLPNational Law Review, Volume VI, Number 306


About this Author

Yan Lou, Regulatory and public policy lawyer, Covington
Of Counsel

Yan Luo advises clients in a broad array of regulatory matters in connection with international trade, cybersecurity and antitrust/competition laws in the U.S., EU and China.

With previous work experience in Washington, DC and Brussels before relocating to Beijing, Ms. Luo has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Ashwin Kaja, Covington Burling, International trade lawyer

Ashwin Kaja is an associate in the firm’s Beijing office and is a member of the firm’s International Trade, Public Policy, Data Privacy & Cybersecurity, and Anti-Corruption practice groups. He has advised multinational companies, governments, and other clients on a range of matters related to international trade, public policy and government affairs, data privacy, foreign investment, anti-corruption compliance and investigations, corporate law, real estate, and the globalization of higher education. He also serves as the China and India editor for Covington’s Mr. Kaja is also a certified information privacy professional (CIPP/US). Prior to joining the firm, Mr. Kaja was an associate at another major international law firm in Beijing.