China’s Cyberspace Administration announced that it has commenced investigations into Tencent Wechat, Sina Weibo and Baidu Tieba for violation of China’s Cybersecurity Law late last week (11 August 2017). More particularly, the Cybersecurity Administration is looking into whether these service providers have been disseminating information which violate national security, public security and social order and/or have failed to exercise their management duties over “prohibited information” disseminated by their users. “Prohibited information” includes violent or horrific contents, fake rumours, pornographic materials, and any other information which endangers national security, public security or social order. In its announcement, the Cyberspace Administration reiterated that it would seriously implement the Cybersecurity Law, step up its monitoring of internet content, and prosecute violations in accordance with the law.
Article 12 of the Cybersecurity Law prohibits any individual or organization from using the network to conduct any activity that:
endangers national security, honour and interest
incites subversion of state power or overthrowing of the socialist system
incites splitting the country or undermining national unity
advocates terrorism or extremism
propagates ethnic hatred or discrimination
spreads violent or pornographic information
fabricates or disseminates false information to disrupt economic and social order, or infringes the reputation, privacy, intellectual property rights or other lawful rights and interests of any other person.
Article 47 of the Cybersecurity Law further provides that a network operator must step up its management of information disseminated by its users. If a network operator discovers information disseminated or transmitted contained information prohibited by law or administrative regulations, the network operator must stop transmission of such information and implement measures, including (a) remove such information to prevent its spread, (b) preserve relevant records and (c) report the same to competent departments. Under the Cybersecurity law, violations of Article 12 will be dealt with in accordance with other relevant laws and regulations, and violations of Article 47 would attract fines of up to a maximum of RMB500,000 for network operators, and fines of up to a maximum of RMB100,000 for every directly responsible managerial officer and other directly responsible officer. Other penalties such as order for cessation of businesses, closure of websites and revocation of relevant business licences can also be imposed.
The outcome of these state investigations will be announced by the local cyberspace administration authorities concerned.
In addition to these recently announced state investigations, there have been at least five enforcement actions by local Public Security Bureaus in Guangdong, Shanxi, Jiangsu, Sichuan provinces and the Chongqing municipality since the Cybersecurity Law came into force on 1 June 2017. These local level enforcement actions were against private companies, state owned enterprises as well as a teacher training and education research centre and covered violations of security assessment requirements of information systems, existence of SQL injection loopholes which compromised the websites’ information security, failure to retain network activity logs relating to users’ login information, failure to implement measures in relation to prohibited information, and failure to implement network security measures leading to attacks from hackers. While most of the measures imposed were warnings and orders of rectification, in one case a fine of RMB10,000 was imposed on the institution concerned, and a fine of RMB5,000 was imposed on the legal representative of the institution.
Key takeaway: With these first reported state investigations and local level enforcement actions under the Cybersecurity Law, the relevant authorities have demonstrated that the Cybersecurity Law is in full force and will be enforced. All companies operating any kind of network in China, including intranets, web services, blogs, app services, etc., must ensure compliance with all provisions of the Cybersecurity Law.