from Hotznplotzn@lemmy.sdf.org to cybersecurity@sh.itjust.works on 24 Jun 11:10
https://lemmy.sdf.org/post/37332260
cross-posted from: lemmy.sdf.org/post/37332256
On 14 May 2025 the Standing Committee of the National People’s Congress, China’s legislative body, published its 2025 work plan, including plans to deliberate draft amendment to the 2017 Cybersecurity Law proposed by the Cyberspace Administration of China (CAC). ARTICLE 19 warns that the proposed amendment doubles down on China’s repressive digital norms, further illustrating the human rights concerns inherent in China’s model of cybersecurity governance.
[…]
The most concerning changes proposed by the amendment involve significant increases in penalties, including greater liability for management personnel, and the reinforcement of censorship and surveillance as core elements of cybersecurity governance.
[…]
Revised Article 59 increases fines for network and CII operators’ non-compliance with varied cybersecurity duties. It doubles the maximum penalty for actions that impact local CII, or cause other vaguely worded consequences to network security, to 2 million yuan ($278,186 USD) and introduces a new penalty for causing CII to ‘lose its main function and other particularly serious consequences for cybersecurity’, with a maximum fine of 10 million yuan ($1,390,930 USD).
Directly responsible personnel will face stricter liability, arguably as a means of outsourcing tighter oversight. In the 2017 Law, the harshest penalty for responsible personnel is 200,000 yuan ($27,818 USD). The amendment introduces a new fine for responsible management personnel carrying a maximum penalty of 1 million yuan ($139,093 USD).
[…]
A newly proposed Article 64 expands on the enhanced penalties for network or CII operators who fail to prevent certain prohibited acts. This includes activities vaguely deemed to endanger cybersecurity, or providing software, other technical support, or expenses for prohibited activities. This could impact cybersecurity researchers and digital security practitioners, and –considering the emphasis on controlling information as part of China’s approach to cybersecurity – could be extended to those who provide VPNs and other circumvention tools, already effectively criminalised in China.
Because the law in China is often weaponised in service of the Chinese Communist Party (CCP), increased penalties signal that non-compliance with Party priorities in digital governance will be met with ever-harsher penalties.
[…]
Unsurprisingly, the draft explicitly reiterates requirements on preventing ‘prohibited’ information from outside of China – a reminder that the epitome of internet fragmentation, the Great Firewall of China, is synonymous with the Party’s approach to CII governance. This in turn raises serious concerns around the dissemination of China’s model for cybersecurity governance.
[…]
The draft goes on to outline that, should network operators fail to block ‘prohibited’ content leading to further unspecified ‘particularly serious’ impacts or consequences, they will be subjected to a maximum fine of 10 million yuan ($1,390,930 USD), and administrative penalties. Directly responsible personnel will be fined upwards of 1 million yuan.
Moreover, the draft combines the language in previous provisions into a new Article 71, further citing obligations of strict control over ‘permissible’ expression and data localisation requirements.
[…]
The operation of network and critical information infrastructure requires provisions to prevent and respond to cyber-attacks. At the same time, cybersecurity measures must not infringe on human rights, and information infrastructure security cannot be conflated with the surveillance and control of information. The draft amendment to the Cybersecurity Law, rather than addressing new and emerging cybersecurity vulnerabilities, doubles down on existing freedom of expression concerns in the 2017 Law. These concerns are only magnified by China’s own stated ambition to expand its cyber power through the development and dissemination of cybersecurity governance norms around the world.
[…]
threaded - newest