Cybercrime Prevention and Control Law

The draft law includes the obligations of various government and private sector actors in combating cybercrime, while creating new offenses for enabling cybercrime.^[2][3]

The Chapter I, titled General Provisions, concerns the general provisions of the law. Article 2 states that the law applies to the prevention and control of cybercrime in the territory of the People's Republic of China, while adding that Chinese citizens outside China can be held liable for violating the law anywhere in the world and that authorities can pursue the liability of foreign individuals and organizations which violate the law when providing services within China.^[2]

The Chapter II of the law, titled the Management of Basic Network Resources, mainly deals with the Internet real-name system. Articles 11, 12 and 13 of the law lays out prohibited user conduct, including the usage fake IDs to open accounts or sharing network and phone connections, payment methods, information-sharing accounts, and web hosting. These conducts are listed as administrative violations, with punishments including fines and possible detention of up to 15 days. Agencies are also authorized to blacklist offending individuals or organizations and require service providers to restrict blacklisted users’ access to services.^[2]

Article 14 prohibits equipment primarily designed to evade regulatory controls or facilitate cybercrime, including devices for bulk control of SIM cards; intercepting others’ text messages; spoofing caller ID; disabling or disrupting others’ phones; and systems that mass-process SMS or voice verification codes. Item 6 of the article includes tools "specifically used to commit cyber illegalities and crimes or having the function of evading supervision systems", which could potentially include tools to circumvent the Great Firewall, such as virtual private networks (VPNs). It states that any individual or organization is forbidden from engaging in the "illegal production, sale, provision, or use" of these tools.^[1]

Article Article 15 requires providers of controlled software and services that provincial police designate as readily used in cybercrimes to file users’ or purchasers’ real identity information with the police and regulatory authorities. Controlled software and services are include tools that can undermine traceability, such as spoofing or masking a user's location, enabling remote control of other systems, and facilitating the bulk management of multiple internet connections, devices, or accounts.^[2] Articles 16 and 17 mandate additional verification where there is irregular account activity, and allows government agencies to request either new verification of specific accounts or a general increase in reverification frequency for areas or times of high criminal activity. It states that users who fail verification may potentially face restricted or terminated functionality, though they are entitled to automatic review, with services restored once verification is successfully completed.^[2]

Chapter III of the law, titled Governance of the Cybercrime Ecosystem, provides administrative offenses for Articles 19-33 of the law.^[2] Chapter IV of the law is titled Obligations for the Prevention and Control of Cybercrime.^[4] Article 24 and 25 establish an administrative approval regime on "white hat" security research and penetration testing. Article 24 bans the unauthorized "discovery, collection, and publication of network product vulnerabilities," restricting such testing on critical systems (level three and above), without explicit approval from provincial-level cyberspace administrations or public security bureaus or authorization from industry regulators or network operators. Authorized testing must be "reported to county-level and higher public security organs five working days prior to the implementation of the activity".^[1]

Chapter IV of the Law, titled Obligations for the Prevention and Control of Cybercrime, provides for various obligations. Article 44 of the law prohibits the production, sale, or provision of means to assist or support in the access of blocked illegal content that originate from outside of the territory of the People's Republic of China.^[2] Article 48 and 49 authorizes the police or cybersecurity administration to directly issue 'online protection orders', requiring network operators to promptly block offending, bullying content. Article 50 concerns offenses against minors, including penalties for the possession of child sexual abuse material.^[2]

Chapter V of the law, titled the Prevention and Control of Cross-border Cybercrimes, mainly concerns cross-border crimes. Article 54 states authorities can "seal, seize, and freeze" and ultimately "confiscate" the criminal proceeds—as well as any enterprises, securities, or real estate invested with those proceeds—of foreign entities and individuals who are deemed to have committed cybercrimes, and can also restrict their direct or indirect investments, which is in accordance with the Criminal Procedure Law.^[2] Article 55 authorizes sanctions, including entry bans and asset freezing, against "overseas institutions, organizations, and individuals" that create or spread adverse "fake information" online which impact China's "national sovereignty, security, development interests, or public interests".^[2] Article 56 provides that "municipal-level and higher PSBs" can impose an additional six-month to three-year "exit ban" on Chinese citizens after they have completed criminal sentences for cyber-related offenses. It also authorizes "relevant competent departments" to ban the entry of foreign personnel who violate the provisions of Chapter III.^[2]

Chapter VI of the law, titled Legal Responsibility, concern the penalties of the law. Article 57 states that anyone who evades real-name registration, including through using foreign SIM cards or IP proxies, faces fines of up to ¥‎200,000 renminbi, with additional penalties to violators including being placed on a blacklist, restricting their access to basic telecommunications and financial services. Articles 58 and 59 states that those who produce produce or provide circumvention face fines of up to ¥‎500,000 renminbi. Articles 57–61 empower the police to impose up to 15 days of "administrative detention" for violations under "serious circumstances". Article 60 states that service providers who "fail to fulfill cybercrime prevention and control obligations" including the failure to monitor, discover, and block illegal information, can face enterprise fines of up to ¥5 million renminbi, while "directly responsible personnel" can face personal fines of up to ¥200,000 renminbi.^[2]

• Budapest Convention on Cybercrime
• Cybersecurity Law of the People's Republic of China