Sincethe Cyber Security Law (“CSL”) took effect on 1 June 2017,theregulators have not hesitated or delayed in its enforcement efforts acrossthecountry, despite the fact that certain important implementing rules arestillin the pipeline. We will highlight recent CSL enforcement cases so you cangeta better sense of the trends and developments that are becoming apparentandbetter prepare for CSL compliance.
Under the CSL, the CyberspaceAdminsitration of China (“CAC”)playsa central role in terms of coordination and supervision. Other regulatorsorrelevant departments under the State Council are responsible foroverseeingnetwork security within their own sectors in accordance with the CSLand otherrelevant laws and regulations, for example, the Office of StateCommercial CryptographyAdministration is responsible for commercial encryptionproducts, China BankingRegulatory Commission for the banking sector, ChinaInsurance RegulatoryCommission for the insurance sector, the Civil AviationAdministration of Chinafor the aviation sector and the Ministry of Industry andInformation Technologyfor the telecommunication industry, just to name a few.In addition to industryregulators, the public security bureaus have also carriedout enforcementactivities relating to cybersecurity pursuant to authoritiesgranted to themunder the CSL and other relevant laws and regulations. Itis also important to note that governmentagencies concerned at the differentlevels (not just the central or provinciallevel) also have the necessary CSLenforcement authorities.
Based on current observations, governmentagencies at thelower level, in particular, the cyber security units of thecounty/district orcity level public security bureaus and the provincial CACcounterparts, are moreaggressive in enforcing the CSL.
“Low Hanging Fruit”
Among the seven cases decided orpublished so far, five wereabout failure to comply with the multi-levelprotection scheme (“MLPS”;inChinese “等级保护制度”), andthese cases werehandled by the public security bureaus. There are probably tworeasons for this:(i) historically it was the public security authorities thattook charge ofoverseeing the implementation of the MLPS, on top of which acore segment of theCSL is constructed; and (ii) compared with other governmentagencies, the publicsecurity authorities are more resourceful in terms ofmanpower, technologicalmeans and investigation power, especially at the locallevel.
A wide range of companies havebecome the target of investigations,including online behemoths, institutionsdirectly associated with thegovernment, technological companies, and WeChataccounts operated bycelebrities.
The targeted behavioursuggests thatmany companies have failed to attach or allocate sufficientattention orresources to CSL compliance. From the regulator’s perspective, thefollowingseems to be low hanging fruit.
(1). Insufficietor flawed management of onlinecontent, whichincludes the information either self released or released byplatform users.For instance, the most high-profile case so far is the on-goinginvestigationagainst Tencent, Sina and Baidu for their flawed supervision andmanagement ofthe information published by their users. Pursuant to Art. 47ofthe CSL, network operators are obliged to strengthen the management of theuserpublished information and take immediate remedial actions, if anyprohibitedinformation is spotted.
(2). Unable to meet the regulatorysecurityrequirements, especially the MLPS rules. The CSL andin more details, the AdministrativeMeasuresfor Multi-Level Protection Scheme (“Administrative Measures for MLPS”;in Chinese “信息安全等级保护管理办法”) and its enablingrules andnational standards have set out the management systems and technicalmeasuresrequirements for each protection level. Failure to comply with theregulatorysecurity requirements is an outright violation of the CSL. If thefailure leadsto a data breach or a cyber attack, the consequences could be evenharsher.
Where improper information isspotted and flawed informationmanagement is detected, the CAC or its localbranches may instruct the platformcarriers to stop transmitting theinformation and shut down the accounts of theusers concerned, as is illustratedin Case 7 below. Failure to respond to theagency’s instructions in a timely mannermay result in the legal consequencesprovided for under Art. 68 of the CSL,including warning, confiscation ofillegal gains, fines at corporate andindividual levels, suspension of business,shutdown of website and revocationof permits or licenses.
Another noteworthy feature of the recent CSLenforcement is that the CSLholds both the company in question and the directin-charge person accountablein almost all of the CSL violations. This meansthat the “gate-keepers”,including decision-making senior executives, complianceofficers, in-housecounsels, IT officers, information officers, and otherpersonnel who haveaccess to important information and personal data, may all beexposed topersonal liabilities under the CSL and other relevant laws, regulationsorjudicial interpretations.
CSL governmentinvestigations are usually attributed to four channels: (i)regular inspections,(ii) special campaigns, (iii) whistle-blowing, (iv) casetransfer from otherenforcement agencies or assignment by superior agencies. Wehave also indicatedthe channels that have given rise to the cases summarizedin Appendix I hereinbelow. Among the five cases whose sources were disclosed,one was reported bynetizen whistle-blow, three were discovered during thecourse of regularinspections or special campaigns, and one was notified by theNationalInformation Reporting Centre for Network and Information Security (“ReportingCentre”; in Chinese “国家网络与信息安全信息通报中心”).
Among thechannels ofcase establishments, netizens’ reporting through government andinternetplatforms should be brought to particular attention. According to thestatisticsof the CAC, the effective whistle-blowing against network violation andimproper information hit arecord high in the first month of the CSL coming intoforce,reaching 3.67 million cases. Among them, 65,059 whistle-blows went totheReporting Centre, 1.49 million to the local report centres, and 2.11 milliontothe major online platform carriers such as Tencent, Sina, Baidu and Alibaba.Howto handle or respond to whistle-blow incidents will be a paramount taskthatlies ahead of network operators in China in order to enhance CSL compliance.
The recent CSLenforcementcalls for immediate action for network operators to review andreinforce theCSL compliance program, including:
(a) Conductinga health check on MLPScompliance. For most network operators,compliance with the MLPS is the focalpoint and also the starting point of CSL compliance. The healthcheck requiresa fresh yet thorough review of the network operator’s status ofMLPS, as wellas its management systems and technical measures with reference totheintricate matrix of laws, regulations, guidelines and national standards. Itisadvisable to extend the MLPS health check to an overall CSL health check in atimelyfashion, given the increasingly strengthened enforcement.
(b) Implementingemergency response plansor remedial measures. In respondingto a new information and networksecurity protection regime, companies need tofill in gaps by formulating andputting in place new policies and protocolsand/or sourcing new technologies orequipment. It is equally important todocument all remedial measures and theirimplementation.
(c) Maintainingsound communication withthe authorities. The CSL is anew and constant evolving regime withsignificant uncertainties, which makescompliance extremely challenging.Communication with the authorities is moreimportant than ever. A soundcommunication plan with the authorities will keepcompanies abreast of thedevelopment of new rules and the compliance requirementsof the authorities. Itcan also help companies build a cooperative gestureduring an investigation,making clarifications and explanations more effectiveand acceptable.
(d) Preparingfor the next wave. Bear inmind that although thefirst wave of enforcement was focused on impropermanagement of online contentand failure to comply with the MLPS, other keyissues like cross-border dataflow and procurement of special network securityproducts and services are byno means less important or off the regulator’sradar. Regulated networkoperators should planahead and act to preparethemselves for the next wave ofenforcement with a more comprehensive CSLcompliance plan in mind.
 Article 47 Networkoperators shallstrengthen the management of the information published by theirusers. If theyfind any information that is prohibited from publication ortransmission bylaws or administrative regulations, they shall immediately stopthetransmission of such information, take the disposal measures such as removaltoprevent the spread of such information, keep relevant records, and reportthesame to relevant competent authorities.
 With the adoption ofthe CSL, similarreporting centres have been gradually set up at provincialpublic security bureausas well. Taking the Zhejiang Province InformationReporting Centre for Networkand Information Security (in Chinese “浙江省网络与信息安全信息通报中心”) as an example, thecentres like this arenormally chartered with the following responsibilities:
(1). Buildup theinformation reporting channels with members of the coordination team andtheunits overseeing important information system, and receive and analysethereporting coming from such members and units.
(2). Organizespecialistsand experts to analyse, decide and assess the nature, severity andpossiblescope of influence of the information concerning network andinformationsecurity.
(3). Keepabreastwith the information about new computer viruses, system vulnerabilitiesandnetwork attack means by tracking the global network security intelligenceanddomestic information security status.
(4). Reportthefindings of the analysis to the provincial Party committee, theprovincialgovernment and the provincial informatization leading group in atimelyfashion, and wherever necessary, release alerts to the public.
See theintroductionto the Zhejiang Province Information Reporting Centre for NetworkandInformation Security at http://www.zjtbzx.gov.cn/zxjj/ (Chinese only).
See news report “3.67 millionwhistle-blowing in June targeting network violationand improper informationhits record high” (in Chinese “6月份全国网络违法和不良信息有效举报366.9万件创月度历史新高”) at http://www.cac.gov.cn/2017-07/28/c_1121396352.htm (Chinese only).
Appendix I: Summary of CSL Cases
please click the above picture to have a better view
Chinese news release is available at http://www.cac.gov.cn/2017-08/11/c_1121467425.htm.
 Chinese news releaseis available at http://mp.weixin.qq.com/s/xKKxxEpv0lEBlOlXgqvExQ.
 Chinese news releaseis available athttp://mp.weixin.qq.com/s/uSWGtNAokGhIAfObrwtvZA.
 Chinese news releaseis available athttp://mp.weixin.qq.com/s/tFoxqU5SG7yHwIVuIrelrQ.
 Chinese news releaseis available athttp://mp.weixin.qq.com/s/R0YEfRK3_up2mLC3lVHZRw.
 Chinese news releaseis available athttp://mp.weixin.qq.com/s/k0MYqkx2bX-8IAZ1Ig-HMQ.
 Chinese news reportis availableathttp://news.sina.com.cn/gov/2017-06-15/doc-ifyhfnrf9204518.shtml.
 including SeriousGossip (严肃八卦)， Sharp Film Review (毒蛇电影) , Association ofGossip Growth Caring (关爱八卦成长协会), Luo Bei Bei (萝贝贝), SouthernMetropolis Entertainment Weekly(南都娱乐周刊), Bazaar Entertainment (芭莎娱乐)
Please feel free to contact us should you have any requirement about CSL and above article:
+852 2833 4928
Rui Bai Law Firm
+86 (10) 8540 4630
Rui Bai Law Firm
+86 (10) 85404602
Cyber Security and Privacy
155 468 90211
Cyber Security and Privacy
186 883 99918
Cyber Security and Privacy
180 263 08123
本文始发于微信公众号（赛博星人）：First Wave of CSL Enforcement since the last half year