NPC Concludes 3rd Reading of Cybersecurity Law

On October 31, the National People's Congress (NPC) Standing Committee concluded a third reading of China's Cybersecurity Law. According to the report by NPC Legislation Commission, the third draft further strengthened protection on critical information infrastructure (CII) and minors, and added punishment measures to be taken against CII attackers who reside outside China's borders or commit online fraud. While no reports noted changes or further clarifications regarding provisions on cybersecurity review regimes or data localization, we anticipate that there will be few changes around the areas related to our concerns.

According to our conversation with NPC on November 1, it's highly likely that this version will be passed during this NPC Standing Committee Session as the final version. While we cannot be totally certain, the new version would likely be released soon after the Session within the month, and we anticipate it going into effect as soon as January 1, 2017.

Please find the key points from reporting on the third reading summarized below, including:

  • The Scope of “Critical information infrastructure”: This version added back in the enumeration of several key areas that are categorized as critical information infrastructure (CII), which had been removed from the second draft of the Law. According to the NPC report, CII will be defined as the industries or areas of public communication and information services, energy, transportation, water conservancy, finance, public services, and electronic government administration or anything that can seriously harm the national economy and national welfare through being suddenly destroyed, loss of capability or data leakage. The State Council will later draft policies on the specific CII scope and detailed protection measures based on MLPS.
  • Addition of ability to use sanctions against CII attackers outside China’s borders: Individuals and organizations outside Chinese borders engaging in any activities that harm the critical information infrastructure of the PRC can, according to law, be subject to decisions of MPS and related departments on imposing sanctions such as freezing assets or other necessary measures. These activities include, but are not limited to cyber attacks, cyber invasions, service disruption, and damages.
  • New provisions on online fraud punishment: The draft included new provisions against online fraud, adding legal obligations on individuals and organizations that are involved in establishing or using websites and online communication groups for making or selling illegal products and other fraudulent activities.
  • Emphasis on protection of minors and cybersecurity standards drafting: The new draft also inserted specific language for the protection of minors, aiming to provide a legal basis for the relevant policymaking of implementing measures, i.e. the recent draft Juvenile Online Protection Regulations that CAC released for comments. The scope of mandates on keeping web logs for no less than 6 months are also further clarified accordingly to be more relevant.
  • Promotion of network interconnectivity and cybersecurity standards drafting: The third-reading draft further added in specific language to promote network infrastructure connectivity, cybersecurity talent cultivation, and cybersecurity standards drafting with wider participation from research institutes and higher education institutions.