Update on Enforcement of China’s Cybersecurity Law
Companies doing business in China may see an increase in enforcement actions with the enactment of a new cybersecurity regulation and the enforcement powers of the Public Security Bureaus (PSBs) officially codified. The regulation – Provisions on Internet Security Supervision and Inspection by Public Security Organs – is now in effect, more than a year after the enactment of the country’s Cybersecurity Law.
The long-awaited regulation was issued pursuant to the Cybersecurity Law and provides guidance on how the country’s PSBs are expected to enforce the law. Specifically, under the new regulation, PSBs –China’s local and provincial police– may conduct inspections of network operators and internet service providers. These include companies that provide internet access, data centers, content distribution, and domain name services; internet information services; internet access to the public; and other internet services.
Under the regulation, PSBs have the power to inspect regulated companies’ premises and networks. They may conduct onsite or remote inspections, review and copy relevant documents, conduct interviews of company personnel and inspect a company’s cybersecurity protection measures. Inspections may focus on a number of areas, including whether the company has implemented cybersecurity programs, taken measures to prevent cyberattacks, and filed as a “network-using entity” (an entity that is connected to the Internet) – all obligations already outlined in the Cybersecurity Law.
Due to the regulation’s language, PSBs have broad discretion to determine which companies are subject to the regulation, when inspections take place, the scope of those inspections, and what penalties should be levied in the event of a violation. Should a company fail an inspection, PSBs are authorized to impose a wide array of penalties, including sanctions outlined in both the Cybersecurity Law and the Counter-Terrorism Law. These include warnings, substantial fines and detention of individuals.
Putting it Into Practice: Internet Service Providers and Network Operators operating in China should expect and prepare for potential inspections by evaluating their current cybersecurity policies against obligations outlined in the regulation.