Article 12 of the Cybersecurity Law prohibits any individual or organization from using the network to conduct any activity that:
Article 47 of the Cybersecurity Law further provides that a network operator must step up its management of information disseminated by its users. If a network operator discovers information disseminated or transmitted contained information prohibited by law or administrative regulations, the network operator must stop transmission of such information and implement measures, including (a) remove such information to prevent its spread, (b) preserve relevant records and (c) report the same to competent departments. Under the Cybersecurity law, violations of Article 12 will be dealt with in accordance with other relevant laws and regulations, and violations of Article 47 would attract fines of up to a maximum of RMB500,000 for network operators, and fines of up to a maximum of RMB100,000 for every directly responsible managerial officer and other directly responsible officer. Other penalties such as order for cessation of businesses, closure of websites and revocation of relevant business licences can also be imposed.
The outcome of these state investigations will be announced by the local cyberspace administration authorities concerned.
In addition to these recently announced state investigations, there have been at least five enforcement actions by local Public Security Bureaus in Guangdong, Shanxi, Jiangsu, Sichuan provinces and the Chongqing municipality since the Cybersecurity Law came into force on 1 June 2017. These local level enforcement actions were against private companies, state owned enterprises as well as a teacher training and education research centre and covered violations of security assessment requirements of information systems, existence of SQL injection loopholes which compromised the websites’ information security, failure to retain network activity logs relating to users’ login information, failure to implement measures in relation to prohibited information, and failure to implement network security measures leading to attacks from hackers. While most of the measures imposed were warnings and orders of rectification, in one case a fine of RMB10,000 was imposed on the institution concerned, and a fine of RMB5,000 was imposed on the legal representative of the institution.
Key takeaway: With these first reported state investigations and local level enforcement actions under the Cybersecurity Law, the relevant authorities have demonstrated that the Cybersecurity Law is in full force and will be enforced. All companies operating any kind of network in China, including intranets, web services, blogs, app services, etc., must ensure compliance with all provisions of the Cybersecurity Law.