On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported, the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.

According to the National People’s Congress of China’s website, under the third draft of the Cybersecurity Law, the term “key information infrastructures” generally refers to information infrastructures maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructures malfunction, or be subject to damage or data leakages. The relevant industry sectors include public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. Operators of such infrastructures would be subject to a prospective data localization requirement, and would be required to implement certain security protection measures. The State Council will formulate the specific scope of “key information infrastructures” and the required security protection measures.

The third draft also stipulates that overseas entities or individuals that attack, invade, interfere with or destroy Chinese “key information infrastructures” will be subject to legal liability, and China’s public security agencies may adopt sanctions against them, including freezing their assets.

In addition, the third draft includes provisions regarding the punishment of cybercrimes, including cyber fraud, and the online protection of minors.