As explained in our previous post, China enacted its first fundamental law in cyberspace, the Cybersecurity Law, in 2016. Five years later, in 2021, China followed up with two more pieces of landmark legislation in this space: the Data Security Law and the Personal Information Protection Law. Taken as a whole, these three laws form an overarching framework that will govern data security, data protection and cybersecurity in China for years to come.

Under the framework established by these three laws, multiple Chinese government agencies are empowered with enforcement authorities. Among them, the Cybersecurity Administration of China, the Ministry of Public Security and the Ministry of Industry and Information Technology play most important roles. In addition, sector regulators are tasked with enforcing certain aspects of these three laws in their respective sectors. Although some of the enforcement powers of these agencies are overlapping, each of them has a different focus, as further explained below.

In part two of this series, we explain how the enforcement power is divided among Chinese agencies and what we can learn from recent enforcement actions. Note that this article focuses only on the roles of administrative agencies, even though the People’s Courts and the People’s Procuratorate could potentially play an important role in enforcing the PIPL through litigation.

Cyberspace Administration of China

As the lead agency that regulates activities in the cyberspace in China, the CAC takes the overall “coordination, supervision and management” role under all three laws (CSL Article 8, DSL Article 6 and PIPL Article 60).

The CAC’s role under PIPL is even more prominent. First, the CAC is granted with broad rule-making authorities under PIPL. It can issue general implementation rules and standards, as well as making specific rules in relation to sensitive personal information protection, facial recognition, artificial intelligence and other emerging technologies or applications (Article 62). It is also tasked with issuing implementation rules regulating cross-border data transfer certifications and formulating standard contract to be entered into by personal information processing entities and their overseas recipients (Article 38).

Second, the CAC is designated as the lead agency that coordinates sectoral regulators and local government to enforce the PIPL (Article 60). Together, these agencies are empowered to, among other things, handle complaints from individuals related to personal information protection, carry out personal information awareness trainings and investigate illegal personal information processing activities (Article 61). The PIPL grants a wide range of investigative powers to these regulators, including to: (i) conduct interview and investigation; (ii) consult and obtain copies of relevant documents; (iii) conduct on-site inspections; and (iv) inspect, seal or confiscate equipment and items carrying out illegal activities (Article 63).

Finally, the CAC will be the agency that administers the security assessment for the cross-border transfer of personal information by operators of Critical Information Infrastructure or personal information processing entities that process personal information “in a volume that reaches the threshold to specified by CAC” (Article 40).

Ministry of Public Security

The MPS is the principal public security agency in China. Under the CSL, together with its local branch, public security bureaus, the MPS and PSBs are taking the lead in enforcing two fundamental cybersecurity schemes, namely the protection of CII and the Multi-level Protection Scheme.

CII Protection Framework

Under the CSL, CII is broadly defined as infrastructure that would have serious negative impact on national security, national welfare or public interests if it is damaged or suffers data leakage. The CSL makes specific reference to “key sectors” such as telecommunications, financial services, transportation and digital government platforms (Article 31). Under the CSL and the “Regulations on Protecting the Security of Critical Information Infrastructure,” CII operators are subject to more stringent cybersecurity requirements.

Under the CII protection framework, MPS is empowered to guide and supervise the overall CII protection efforts (CII Regulation, Article 3.) In addition, MPS is also tasked with a number of specific responsibilities, such as preventing and cracking down criminal activities related to CII, as well as participating in the cybersecurity inspection and testing on CII (CII Regulation, Articles 27 & 33).

MLPS Framework

Under the MLPS framework, systems in China are classified based on their impact on national security, social order and economic interests if the system were to be damaged. The level of classification ranges from one to five and systems classified at, or above level three are subject to enhanced requirements. 

In enforcing the MLPS requirements, PSBs can rely on powers ranging from on-site inspections, investigations, and “summoning for consultation,” to the authority to issue monetary fines and impose criminal liability. Specifically, PSBs can evaluate whether network operators have met the requirements of the MLPS and established controls to prevent cybersecurity incidents.    

Ministry of Industry and Information Technology

MIIT is China’s sectoral regulator for industrial branches and information technology sector. In the cyber and data security space, considering that MIIT is the sectoral regulator of a wide range of digital service providers (most of which are considered as value added telecom services in China), MIIT plays a critical role in enforcing cyber and data security rules against providers in the telecommunications and internet sector. 

One example of MIIT’s key enforcement authority is it enforces personal information protection rules against the operators of mobile application stores and operators of mobile applications. Since the enactment of the CSL, MIIT has launched several rounds of enforcement actions against apps that violated personal information protection requirements in China. Further, MIIT released a draft “Interim Administrative Provisions on Personal Information Protection by Mobile Internet Applications” for public comments, which sets out detailed data protection requirements that apply to app developers, as well as app stores and device providers.

Sectoral regulators and other agencies

In addition to the three government agencies mentioned above, sectoral regulators are also empowered to enforce certain aspects of the rules established under the CSL, DSL and PIPL. For example, the People’s Bank of China, as one of the key regulators in the financial industry, takes the lead in regulating how financial institutions regulated by it should protect personal information. The State Administration for Market Regulations, as the regulator of the e-commerce sector, is also granted the authority to release rules and enforce personal information protection in the e-commerce sector. For example, SAMR released the “Measures for the Supervision and Administration of Online Transactions,” which imposes a variety of personal information protection requirements on e-commerce service providers. 

Lessons learned from recent enforcement actions

In the months leading to the enactment of the PIPL, Chinese agencies have been very active in terms of enforcing rules in the cybersecurity, data security and personal information protection areas. While the priorities of enforcement agencies changed from time to time, major issues that Chinese regulators focus on recently include: the illegal use of cameras to take videos that violates others’ privacy rights, abuse of facial recognition technology, illegal collection of personal information by apps, personalized recommendation and price discrimination by using big data analysis.

These enforcement actions are usually launched jointly by multiple enforcement agencies. For instance, CAC, MPS, MIIT and SAMR jointly initiated a campaign in May 2021 against the illegal video filming of individuals’ private lives and the selling of such videos. In July 2020, these four agencies also jointly launched a one-year campaign targeting illegal collection and use of personal information by apps. 

Meanwhile, the penalties issued by enforcement agencies range from ordering violators to make corrective actions, to suspend services, or to be removed from the app stores or platforms, to confiscating illegal gains and imposing monetary penalties on violators. The amount of monetary penalties usually does not exceed RMB one million yuan, which is the maximum penalty allowed under the CSL.   

Given that the DSL and the PIPL grant new authorities to enforcement agencies and significantly increase penalties against entities that violate these laws, we are expected to see a new era of enforcement in China on data-related rules.

Photo by Macau Photo Agency on Unsplash