How is the enforcement of data protection and cybersecurity provisions in mainland China faring? A year after the Cybersecurity Law (网络安全法, the CSL) became effective, June 1, 2017, it is a question that can legitimately be asked. And a question that has become more pressing a few weeks after the public announcement of one of the most important data leaks in mainland China from a major hotel group that could impact over 130 million data subjects.

In this article, beyond just providing a state of the enforcement of the CSL, it seemed important to also provide insights on how to find information on enforcement of data protection and cybersecurity provisions in mainland China. In an age where information is more plentiful than ever, discussing the difficulties encountered by privacy experts outside and within mainland China when conducting research on enforcement is critical to support a continuous understanding of the laws.

Therefore, the first part of this article will discuss how to do research on the enforcement of data protection and cybersecurity provisions in mainland China, while also covering the major challenges and pitfalls, to then proceed on enforcement itself.

What is to be enforced?

An important factor to consider when evaluating the level of enforcement of the CSL, is the fact that the law is not only dedicated to data protection, nor exclusive to cybersecurity (despite its name). It is in fact an umbrella law that as per Article 1 is aimed at:

• Ensuring cybersecurity.
• Safeguarding cyber sovereignty.
• Protecting national security and public interests.
• Protecting the legitimate rights and interests of natural and legal persons.
• Promoting the healthy development of economic and social informatization.

As a result, enforcement of the CSL encompass, among others, data protection under its Chapter IV, cybersecurity under its Chapter III and the authorized use of networks and their monitoring under its Chapter I, III and IV. Solely researching the enforcement of the CSL would hardly provide satisfactory results, similar to researching the enforcement of contract law. To be effective, an element of contract law should be researched, such as the enforcement of voiding contracts. Therefore, it is important to compartmentalize research on specific provisions of the CSL to be able to state whether provisions on data protection or cybersecurity are enforced, for example.

However, a conflicting factor to this assessment is that the CSL as national law can be supplanted by specific laws and regulations. For example, cybercriminality could be prosecuted through Articles 286 and 287 of the Criminal Law (中华人民共和国刑法). Unlawful direct marketing could fall under enforcement of the 2015 Advertising Law (中华人民共和国广告法 [2015年修订]) Article 43. It is only when a specific law redirects enforcement of cybersecurity and data protection to the CSL that the CSL itself would show to be directly enforced, like with the e-commerce law (中华人民共和国电子商务法) that stipulates in its Article 79 that e-commerce operators and platforms violating cybersecurity or data protection provisions would be liable under the CSL. As a result, one must remain cautious when stating that the CSL is not enforced for direct marketing or criminal matters, as in fact specific provisions are already covering for such enforcement.

Sourcing enforcement as a non-Chinese speaker

One of the greatest challenges that privacy experts can face in researching enforcement of the cybersecurity law is the language and cultural barrier.

Without access to Chinese news and media, as well as regulatory authorities, one must solely rely on third party reports regarding enforcement of the CSL, or cybersecurity and data protection relevant provisions. However, over-reliance on such third parties can be hazardous:

• Mistranslation can happen, such as translating a "shall" into a "may."
• If the third party is biased, risk of the law or enforcement being interpreted is high.
• Incorrect paraphrasing can also occur, modifying the source text into a complete different argument.

It then become extremely important to be able to cross-check those sources of information. In particular to find the source of the report or news for further investigation. When a report, a post, a blog, does not provide its source, it is recommended to remain careful; until either a trusted source is found (such as government reports or declaration) to back-up the information, or another outlet cover this similar issue, but while providing a trusted source.

For example, in July some blogs and news outlets where reporting that the Shanghai Consumer Council ordered map applications operators to stop collecting user’s personal information without providing a source to the official release. After crosschecking and discovering the real announcement from the Shanghai Consumer Council [in Chinese], it was clear that it was not an order to stop the collection of user’s personal information. It was an order for map applications operators to respect data protection provisions by collecting consent and minimizing the personal information collected.

The lack of a centralized enforcement hub

For Chinese speaking privacy experts, the problem of finding information on enforcement remains due to the lack of centralized information hub on data protection and cybersecurity enforcement.

A factor to consider is that news outlets and publications have partly migrated to social medias. For example, when the Third Research Institute of the Ministry of Public Security (the Institute) published its report [in Chinese] on the enforcement of the CSL on August 18, 2017, it did not do it through its website. Instead, the report was published through its public account on the Chinese social media WeChat. While the report was indeed later on republished on various websites, only experts with prior knowledge of the social media platform, and the publication habits of the Institute could find it by themselves.

When a report is published by a more remote governmental organization, the risk of it not being republished grows. Based on our research, it appears that local branches of the Cyberspace Administration of China and the Ministry of Public Security do communicate on enforcement actions and activities. However, such publications are mostly located on difficult to located websites, or social media accounts.

The enforcement of the CSL

Although difficult to find, the enforcement of the CSL in mainland China is indisputable since last June 2017. Enforcement of cybersecurity provisions, in particular compliance with the Multi-Level Protection System as per Article 21 of the CSL is documented. On June 27, 2018, the Third Research Institute of the Ministry of Public Security published short a report [in Chinese] on the enforcement of the provision on the compliance with the Multi-Level Protection System requirements with 13 entries, with related sanctions ranging from warning to fines up to RMB 20000.

Last April the Cyberspace Administration of China communicated [in Chinese] on the enforcement of the CSL in the Guangdong province, especially regarding the publication of illegal content under the CSL. Sanctions ranged from warnings, to fines, to the order to deleted infringing content.

More generally, enforcement of the CSL can be found in Chinese media, and sometime collected together by a research authority such as the Institute in its  August 18, 2017 release [in Chinese]. At this stage, most of the sanctions are focused on administrative fines, warnings and request for rectification, with a few cases involving detention of individuals for selling illegally collected personal information.

As a final word, even if the enforcement of the CSL is difficult to document and quantify, it is unmistakably taking place in mainland China. We can see from various reports that enforcement of the CSL is continuous, although publicity of such enforcement is highly fluctuating. This can give the impression that enforcement is limited or only spikes at a precise period of time, while in fact it has never stopped since it has begun.

photo credit: Max Braun via photopin