Introduction
On September 12, 2022, the Cyberspace Administration of China (the “CAC”) released an exposure draft of the Decision on Amending the Cybersecurity Law of the People's Republic of China (Draft for Comment) (the “Draft”). In general, the Draft would impose more stringent legal liabilities for certain violations of the Cybersecurity Law (the “CSL”) and systematically consolidate and unify penalties for violating security protection obligations relating to network operations, network information, critical information infrastructure (“CII”), and personal information. The Draft would also coordinate with the Personal Information Protection Law (the “PIPL”), the Data Security Law, and other new laws. We briefly summarize the key points of the Draft below.
Stricter Legal Liabilities for Violating Network Operation Security Obligations
The Draft would consolidate and unify liabilities for violating various general provisions on network operation security, including security protection obligations required by the Multi-level Protection Scheme, obligations to develop and implement emergency plans for network security incidents, and obligations to provide continuous security maintenance of products and services. Compared to the current CSL, the Draft would supplement the penalties for violating Article 23, which requires security certification or security testing for critical network equipment and special cybersecurity products. Notably, liabilities for violating these provisions would be made more stringent. The Draft echoes Article 66 of the PIPL by raising the maximum fine for personal information processors to RMB 50 million or five percent of their previous year’s turnover. The Draft would also raise the maximum fines for persons directly liable to up to 1 million yuan and add the penalty of prohibiting such persons from taking management or key cybersecurity protection positions.

Align with the PIPL on Liabilities for Violating Personal Information Rights
Prior to the effective date of the PIPL (November 1, 2021), the competent authorities mainly imposed administrative penalties for violations of personal information rights based on provisions in the CSL. Naturally, after the PIPL came into force, liabilities related to personal information protection in the CSL should be consistent with the PIPL to avoid any conflict in their application. The Draft would replace the penalty provisions in the current CSL on violating personal information rights with provisions that refer to the PIPL and other applicable laws and administrative regulations. On the one hand, the Draft retains the penalties that conform to related provisions of the PIPL. On the other hand, compared to the current CSL, the Draft would toughen legal liabilities for violations of personal information rights.

Impose Stricter Legal Liabilities for Violating CII Security Protection Obligations
For violations of national security review requirements for procurement by CII operators, the Draft would also raise the maximum fines to five percent of the violator’s previous year's turnover. For violations of data localization and data export requirements for CII operators, the Draft refers to Article 46 of Data Security Law and Article 66 of the PIPL, both of which impose stricter legal liabilities on CII operators.

Integrate Liabilities For Violating Network Information Security Obligations
The Draft integrates liabilities for violating network information security obligations, including user information governance, security management, and the establishment of network information security complaint and reporting systems. Similar to the aforementioned sections, the Draft raises the maximum fine to 50 million yuan or five percent of the violator’s previous year’s turnover and adds a prohibition on directly liable persons from taking management or key cybersecurity protection positions.

Conclusion
The Draft mainly focuses on imposing stricter liabilities for violations of the CSL and conforming to the PIPL on the maximum penalties of both the company and persons directly liable, thereby reflecting China’s strong attitude toward cybersecurity protection. The Draft is currently open for public comments and there remains significant time before it may enter into force. Therefore, parties who engage in network operations should continue to actively fulfill their obligations relating to network operation security, network information security, and personal information protection, and monitor this and other legislative developments.
On September 12, 2022, the Cyberspace Administration of China (the “CAC”) released an exposure draft of the Decision on Amending the Cybersecurity Law of the People's Republic of China (Draft for Comment) (the “Draft”). In general, the Draft would impose more stringent legal liabilities for certain violations of the Cybersecurity Law (the “CSL”) and systematically consolidate and unify penalties for violating security protection obligations relating to network operations, network information, critical information infrastructure (“CII”), and personal information. The Draft would also coordinate with the Personal Information Protection Law (the “PIPL”), the Data Security Law, and other new laws. We briefly summarize the key points of the Draft below.
Stricter Legal Liabilities for Violating Network Operation Security Obligations
The Draft would consolidate and unify liabilities for violating various general provisions on network operation security, including security protection obligations required by the Multi-level Protection Scheme, obligations to develop and implement emergency plans for network security incidents, and obligations to provide continuous security maintenance of products and services. Compared to the current CSL, the Draft would supplement the penalties for violating Article 23, which requires security certification or security testing for critical network equipment and special cybersecurity products. Notably, liabilities for violating these provisions would be made more stringent. The Draft echoes Article 66 of the PIPL by raising the maximum fine for personal information processors to RMB 50 million or five percent of their previous year’s turnover. The Draft would also raise the maximum fines for persons directly liable to up to 1 million yuan and add the penalty of prohibiting such persons from taking management or key cybersecurity protection positions.

Align with the PIPL on Liabilities for Violating Personal Information Rights
Prior to the effective date of the PIPL (November 1, 2021), the competent authorities mainly imposed administrative penalties for violations of personal information rights based on provisions in the CSL. Naturally, after the PIPL came into force, liabilities related to personal information protection in the CSL should be consistent with the PIPL to avoid any conflict in their application. The Draft would replace the penalty provisions in the current CSL on violating personal information rights with provisions that refer to the PIPL and other applicable laws and administrative regulations. On the one hand, the Draft retains the penalties that conform to related provisions of the PIPL. On the other hand, compared to the current CSL, the Draft would toughen legal liabilities for violations of personal information rights.

Impose Stricter Legal Liabilities for Violating CII Security Protection Obligations
For violations of national security review requirements for procurement by CII operators, the Draft would also raise the maximum fines to five percent of the violator’s previous year's turnover. For violations of data localization and data export requirements for CII operators, the Draft refers to Article 46 of Data Security Law and Article 66 of the PIPL, both of which impose stricter legal liabilities on CII operators.

Integrate Liabilities For Violating Network Information Security Obligations
The Draft integrates liabilities for violating network information security obligations, including user information governance, security management, and the establishment of network information security complaint and reporting systems. Similar to the aforementioned sections, the Draft raises the maximum fine to 50 million yuan or five percent of the violator’s previous year’s turnover and adds a prohibition on directly liable persons from taking management or key cybersecurity protection positions.

Conclusion
The Draft mainly focuses on imposing stricter liabilities for violations of the CSL and conforming to the PIPL on the maximum penalties of both the company and persons directly liable, thereby reflecting China’s strong attitude toward cybersecurity protection. The Draft is currently open for public comments and there remains significant time before it may enter into force. Therefore, parties who engage in network operations should continue to actively fulfill their obligations relating to network operation security, network information security, and personal information protection, and monitor this and other legislative developments.
