On October 31, the Xinhua news agency reported that the Standing Committee of China’s National People’s Congress (“NPC”) is conducting the third reading of the draft Cybersecurity Law (“the Law”). NPC released two previous drafts of the Law for public comment in July 2015 and July 2016, but the full text of the third draft has not yet been released to the public.  This blog post summarizes key changes mentioned in the Xinhua report, which is based on the unreleased third draft.

More specific definition of “Critical Information Infrastructure” (“CII”). The latest draft restores language making specific reference to a number of key sectors such as finance, transportation, and e-government in the definition of CII. Note that such reference was removed in the second draft.  This increased specificity is, however, accompanied by broadly worded language retained from the second draft defining CII as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, the national welfare, the livelihoods of the people, or the public interest.”

While this revision may shed some light on what sectors might be covered as CII, the catch-all stipulation in the second half of the definition gives the government considerable latitude if it intends to expand the definition of CII when promulgating and enforcing the implementing regulations.

New penalties directed at foreign individuals or organizations attacking Chinese CII. The third- draft inserts language to impose penalties, such as asset frozon or other sanctions,  on foreign organizations and  individuals who launch attacks upon China’s CII. This provision adds teeth to the law as the penalties for such acts provided in the second draft (i.e., warnings, suspension of operations, revocation of licenses, fines set within a fixed range, etc.) would not have any detrimental effect on foreign organizations or  individuals.

Greater punishments for online fraud and other new forms of cybercrime. Facing increasing online fraud and new forms of cybercrime, the third draft adds a provision prohibiting individuals and organizations from establishing “websites or communication groups for carrying out fraud, passing on criminal methods, producing or selling contraband or controlled items and engaging in other illegal criminal activities” or to publish information relating to such activities online.

This provision seems to reinforce various government agencies’ ongoing efforts to combat widespread cybercrime and it increases penalties for engaging in criminal activities in the cyberspace.

Promotion of network interoperability and standardization. The third draft includes new provisions on promoting the interoperability of network infrastructures, cultivating network security talent, and supporting the formulation of network security standards.

While such additions may be welcome for the purposes of enhancing cybersecurity, they may raise concerns if interpreted narrowly to exclude foreign standards. For example, does the idea of interoperability extend beyond China’s borders to allow for cross-border interactions and participation in activities undertaken in cyberspace?  Will China adopt standards that are compatible with international ones, or seek to develop its own homegrown standards in an attempt to develop its own cyber ecosystem?  It is uncertain how the agencies will implement such provisions in practice.

New provisions addressing the online protection of minors. New provisions have been added in the third draft to provide for general principles for the protection of minors online.  These principles are intended to provide a basis for developing auxiliary laws and regulations on the subject with the objective of creating a network environment that is conducive to the healthy growth of minors.  This is in line with efforts by China’s top internet regulator, the Cyberspace Administration of China (“CAC”), which recently issued a draft regulation on the protection of minors in cyberspace. 

Given that the National People’s Congress is now conducting its third reading of the draft Law, it will likely be finalized and officially promulgated very soon. We expect other controversial provisions, such as various data localization and cross-border data transfer requirements, to remain in the final text of the law.