top of page

XL INSIGHTS+
Legal Alerts and News Updates

Search

China Releases Draft Amendment to Cybersecurity Law

  • On March 28, 2025, the Cyberspace Administration of China released a draft amendment to the Cybersecurity Law(“Draft Amendment”) for public comment.

  • Under the Draft Amendment, restrictions on the cross-border transfer of network data apply only to the transfer of personal information and important data.

  • The Draft Amendment also applies different penalties to general network operators and critical information infrastructure operators and allows for reduced, mitigated or no administrative penalties in certain situations.


In the 2025 work report of the National People's Congress Standing Committee, revising the Cybersecurity Law (“CSL”) was listed as one of its high-priority legislative tasks for 2025. On March 28, 2025, the Cyberspace Administration of China (“CAC”) accordingly released a draft amendment to the CSL (“Draft Amendment”), which was open for public comment until April 27, 2025. The Draft Amendment aims to enhance the integration of the CSL with related laws, such as the Data Security Law (“DSL”), the Personal Information Protection Law (“PIPL”), and the Administrative Penalty Law.

 

The Draft Amendment includes the following highlights:

 

No Restriction on Cross-border Transfer of Network Data Other Than Personal Information and Important Data

 

Article 66 of the CSL outlines the regulations governing the penalization of critical information infrastructure operators (“CIIOs”) for illegally storing or transferring "network data" outside of China. The Draft Amendment deletes references to “network data” and replaces them with “personal information and important data.” In other words, under the draft language, cross-border transfer of network data other than personal information and important data is not subject to strict regulation under the CSL. This language, if adopted, would bring the CSL into alignment with the Regulation on Network Data Security Management, which came into effect on January 1, 2025.  For more details regarding the provisions of this Regulation, including clarifications to the definition of “important data,” see our earlier article, “China Releases Final Regulation on Network Data Security Management.”

 

It can be inferred that the fundamental regulatory principle in China is to obligate critical infrastructure and general network operators to adhere to restrictive requirements when transferring personal information and important data outside China but to allow the cross-border transfer of general network data without restriction.

 

Penalties Assessed According to the Severity of the Violation

 

The Draft Amendment would implement a system of tiered penalties based on the severity of the violation. Increased fines would be imposed for significant data breaches, and penalties may also include the closure of websites or applications, or the revocation of business licenses or operating permits. Directly responsible personnel could also face significant fines.

 

General Network Operators and CIIOs Are Subject to Different Penalty Standards

 

The CSL establishes distinct penalty standards based on the nature of the violation and the severity of the consequences. These standards apply uniformly to both general network operators and CIIOs.

 

The Draft Amendment, by contrast, outlines different penalty standards for general network operators and CIIOs. General network operators who violate network security protection obligations under Articles 21 and 25 of the CSL would be subject to organizational fines of up to RMB 500,000 ($70,000) and individual fines of up to RMB 100,000 ($14,000). CIIOs would receive heavier penalties under the Draft Amendment, subjecting CIIOs who violate network security protection obligations under Articles 33, 34, 36 and 38 of the CSL to organizational fines of RMB 10 million ($1.4 million) and individual fines of up to RMB 1 million ($140,000).

 

Circumstances for Reduced, Mitigated, or No Administrative Penalties

 

The Draft Amendment also adds a new section which states that network operators who actively eliminate or mitigate the harmful consequences of their violations, make prompt corrections without causing harm, or commit initial violations with minor consequences and rectify them promptly may receive reduced, mitigated, or no penalties.

 

Implications for U.S. Higher Education Institutions

 

The Draft Amendment has not yet passed. As always, it is imperative that U.S. institutions providing network services in China continue to adhere strictly to the provisions of the current CSL and any effective amendments in order to avoid potential penalties. Because the Draft Amendment adjusts penalties according to whether an institution eliminates or mitigates violations, U.S. higher education institutions (IHEs) that transfer data that is subject to the CSL should ensure that they have in place both strong mechanisms for managing the transfer of online content and emergency response plans for content-related incidents.

 

The CSL stipulates that CIIOs and network operators illegally storing or providing network data outside China will face penalties in accordance with the provisions of relevant laws and administrative regulations. However, current laws such as the PIPL and DSL, both of which were passed after the CSL, do not regulate network data aside from personal information and important data. If the Draft Amendment becomes law, the CSL will better align with the PIPL and DSL, therefore easing compliance challenges for U.S. IHEs.

 

While the transfer of non-personal information and non-important data to China will not be subject to restrictions if the Draft Amendment becomes law, educational collaborations and activities between the United States and China commonly involve the transfer of personal information. As a reminder, U.S. IHEs must continue to comply with Chinese laws and regulations governing the transfer of personal information and the transfer of important data, as follows:


  • Personal Information: Data handlers transferring sensitive personal information or transferring personal information (excluding sensitive personal information) of 100,000 or more individuals per calendar year are required to obtain personal information protection certification or execute and file the standard contractual clauses with the CAC before transferring such personal information outside China.

  • Important Data: Although much less common in the IHE context, any transfer of important data is contingent upon a security assessment by the CAC. Data is considered important data only if China’s regions or departments notify the data handler or publicly disclose that the data is designated as important data.




© 2024 XL Law & Consulting P.A. - A U.S. Corporation - Privacy Policy - Cookies Policy - Contact Us

 - 

The information provided on the XL Law & Consulting website is for educational purposes only. Nothing on this website should be construed as or relied upon as legal or other professional advice, nor does use of this website create an attorney-client relationship.

bottom of page