Cybersecurity law violators to face heavier penalties

The Cyberspace Administration of China proposed a series of amendments to the Cybersecurity Law last week that would raise the size of fines for some violations and diversify penalties for infractions committed by operators of critical information infrastructure.

Among the proposals, the administration suggested that the fine for internet operators who do not take measures to prevent computer viruses or online attacks, nor monitor the network operation, should be increased from the current legal maximum of 100,000 yuan ($14,371) to 1 million yuan if their behavior harms cybersecurity or they refuse to rectify shortcomings after being alerted.

If the situation is "extremely serious", violators could be fined up to 50 million yuan, or to an equivalent of 5 percent of their previous year's revenue, according to the administration.

Such revenue-related penalties could also be levied against operators of critical infrastructure who use products or services that had not undergone security reviews, it said.

Moreover, those responsible for network security incidents would be prohibited from serving as directors, supervisors or executives of relevant enterprises for a certain period, or barred from working in critical positions of network management or operation, it said.

Zuo Xiaodong, professor at the University of Science and Technology of China, welcomed the increased and more diversified fines and penalties in the proposed amendments, which are open to public feedback until Sept 29.

"There are many kinds of network operators — both internet giants and small companies that provide online services — but under the current law, they face similarly sized fines, or the penalties do not effectively deter large-scale enterprises from such offenses," said Zuo, who is from the university's School of Cyber Science and Technology.

"It's often seen that internet enterprises or cyberspace institutions are fined for inadequate protection of cybersecurity. But, in fact, one main reason for the problem lies in the meager security awareness of the employers, so a prohibition from practice is also necessary," he said.

Wang Sixin, a law professor at Communication University of China, said that the larger fines will pose a larger threat for those engaged in the internet industry, which will "tell them to pay greater attention to cybersecurity".

In addition, revenue-related fines have been used by the European Union, Wang said, and that brings it more in line with international norms.

China's Cybersecurity Law, the first major set of rules of Chinese origin governing the storage and transfer of data, took effect in June 2017.

Over the past few years, China has stepped up efforts in cyberspace governance, making laws on data security and personal information protection and also issuing several regulations on security review and management of smartphone apps.