China’s CAC Promulgates Administrative Law Enforcement Procedures

China’s CAC Promulgates Administrative Law Enforcement Procedures

Client Alert

Authors

The Cyberspace Administration of China (“CAC”) promulgated the Procedures for Administrative Law Enforcement by the Cyberspace Administration Departments (网信部门行政执法程序规定, “Enforcement Procedures”) on March 18, 2023, effective June 1, 2023.1 The Enforcement Procedures in 58 articles across five chapters define the administrative law enforcement procedures under the framework of “case filing - investigation and evidence collection - hearing - penalty decision – execution,” clarify jurisdiction, and improve due process for the parties concerned. The Enforcement Procedures are intended to strengthen CAC’s law enforcement efforts in a more systematic and professional way. 

CAC’s authority has undergone significant changes since promulgation of the Administrative Law Enforcement Procedures for the Administration of Internet-based Information Contents (互联网信息内容管理行政执法程序规定, 2017). The role of the CAC has expanded from “content-based” administration (censorship) to data security and privacy protection, enforcement of regulations on data cross-border transfer, and cybersecurity review of network products, under authority granted by the Data Security Law (2021), Personal Information Protection Law (2021), Cybersecurity Review Measures (2021), Cybersecurity Law (2016), and National Security Law (2015).

The CAC has to date conducted cybersecurity review of Didi Chuxing (July 2021), a ride-hailing giant, two truck-hailing service providers and an online recruitment app (July 2021), CNKI (June 2022), a large Chinese academic database, and Micron (March 2023), the US-based memory chip maker, on the grounds of fending off data security risks, safeguarding cyber and national security, and ensuring security of the supply chain for critical information infrastructure.2

Major provisions of the Enforcement Procedures are as follows:

Jurisdiction

Administrative penalty enforcement is under the jurisdiction of the cyberspace administration department (“CAD”) at the county-level or higher in the place where the violation occurred (Articles 8 and 9). The Enforcement Procedures provide that “the place where the violation occurs” includes the place where the relevant service provided by the offender is licensed or has filed for the record; the principal business address; registered address; the place where the website creator, manager and user is located; the network access locality; the place where the server is placed; and the place where the computers and other terminal devices are located (Article 8).

Such multiple bases for jurisdiction create a potential for conflict among CADs over jurisdiction. The Enforcement Procedures provide that if two or more CADs have jurisdiction over the same violation committed by a party, the CAD which filed the case first should have jurisdiction (Article 10). Jurisdiction may also be determined by the shared CAD at the next higher level.

If national security is involved in a case under the jurisdiction of a CAD at the municipal level or below, the CAD shall report the case to the CAD at the next higher level, and report to the same for jurisdiction as the situation requires (Article 11).

Case Filing

A CAD may initiate investigation of a case (1) when evidence is found during a regulatory inspection; (2) on the basis of a report or complaint; (3) assigned by a higher-level CAD or transferred from a lower-level CAD for investigation; (4) transferred from another government department; or (5) detected through other means (Article 17).

Note that before a case is formally filed, CAD may take such measures as inquiry, inspection, testing, and retrieval, but the personal and property rights of the investigation target must not be restricted (Article 23).

Evidence Collection

CAD investigation and evidence collection shall be performed by law enforcement officers with administrative law enforcement qualifications. A minimum of two law enforcement officers shall be present and show their enforcement IDs (Article 19). 

Evidence subject to collection includes documentary evidence, physical evidence, audio-visual materials, electronic data, witness testimony, statements of the parties to the case, forensic opinions, inquest records, and on-site records. In particular, electronic data for this purpose may include data stored in computers, mobile communication devices, Internet servers, mobile storage devices, and cloud storage systems (Article 21). 

Such evidence as computers, servers, and hard drives may be retained at first after registration by the CAD but shall be disposed of within seven working days for further handling such as forensic tests or released if a violation is not established (Articles 28 and 29).

After the investigation is completed, if a violation can be established and should be subject to administrative penalty, the investigators shall draft the proposed administrative penalty (Article 33). 

The CAD shall expedite the conclusion of cases where the facts are clear, the offenders voluntarily acknowledge their wrongdoing and accept punishment, and have no objection to the illegal facts and the application of the law (Article 35).

Public Hearings

The parties concerned are entitled to a public hearing before CAD decides to impose any of the following penalties (Article 36): (1) a fine in a significant amount; (2) confiscation of huge illegal gains or illegal assets of large value; (3) downgrade of qualification or revocation of licenses; (4) order to cease operation, order to close business, or imposition of restrictions on business operations; (5) other severe administrative penalties; or (6) other circumstances as specified by law. The parties concerned have five working days to request a public hearing after being informed by the CAD of the potential penalty and the entitlement to a public hearing (Article 36).

CAD may also schedule a regulatory conversation with the parties concerned before making the penalty decision (Article 38).

Administrative Penalty Decisions

Before an administrative penalty decision is issued, the CAD shall first notify the party concerned in a notice of administrative penalty opinions, in which the proposed penalty, facts, and basis for punishment are included, to allow the parties to make representations and requests (Article 39). The Enforcement Procedures add a new requirement that the CAD may not issue a penalty decision if it fails to first notify the party concerned of the proposed penalty or refuses to hear the party’s representation and petition (Article 40). 

To pursue further law-based and science-based enforcement procedures, the Enforcement Procedures continue to adopt the mechanism in the 2017 edition for “collective discussion” of major cases and complicated cases by leaders of the CAD before rendering a decision (Article 43). To this end, the Enforcement Procedures also introduce “legal verification” by licensed legal professionals, i.e., certified lawyers, a new mechanism without which or in case of failure to pass the verification no decision shall be rendered under any of the following circumstances (Article 41): (1) when major public interests are concerned; (2) after the hearing, major interests of the party to the case or of a third party are concerned; (3) the case is difficult and complicated with multiple legal relationships involved; or (4) other circumstances under which the legal verification shall be conducted as required by law.

The Enforcement Procedures expressly require, as opposed to the 2017 edition, that an administrative penalty decision shall be issued within 90 days after the case is formally filed (excluding the time for public hearing, forensics, etc.), with an extension of 60 days in complex cases; an extra extension in a reasonable time limit for extremely complex cases may also be possible as determined by the CAD at the next higher level or the CAC (Article 45). 

Conclusion

The Enforcement Procedures were promulgated to bring law enforcement activities by the CAC more in line with the newly revised Law on Administrative Penalties, even though the Enforcement Procedures themselves do not substantively expand the authority of the CAC. It is expected that the CAC’s law enforcement efforts will be further strengthened and standardized with an aim not only to penalize offenders but also educate them by granting them improved due process. The Enforcement Procedures do not appear to be targeted at multinational companies. 

Authors

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.