In the wake of China’s Cybersecurity Law going into effect on June 1, 2017, local authorities in Shantou and Chongqing have brought enforcement actions against information technology companies for violations of the Cybersecurity Law. These are, reportedly, the first enforcement actions brought pursuant to the Cybersecurity Law.
Recently, Chongqing’s municipal Public Security Bureau’s cybersecurity team identified a violation of the Cybersecurity Law during a routine inspection. A technology development company failed, as required under the Cybersecurity Law, to retain web logs relating to its users’ logins when providing internet data center services. In response, the public security authority issued a warning and an order to correct the issue within 15 days, with a follow-up inspection to take place after the rectification. In another enforcement action taken by Shantou’s municipal Public Security Bureau’s cybersecurity team in July, an information technology company in Shantou, Guangdong Province, was ordered to correct a violation of the Cybersecurity Law.
Though reportedly the first enforcement actions brought pursuant to the new Cybersecurity Law, these amounted to only minor actions. They involved only warnings and orders to correct the issues; no fines or criminal penalties were imposed. Accordingly, these enforcement actions likely do not provide much insight into how the Cybersecurity Law will be enforced moving forward. These actions do, however, indicate that enforcement authorities, such as public security agencies and the cyberspace administration agency, have started to consider their roles in enforcing the Cybersecurity Law. More enforcement actions could be expected in future.