Administrative law enforcement in the field of Internet

Tracker Report on China's Cyber, Data and Personal Information Protection Administrative Enforcement

On November XNUMX, XNUMX, with the implementation of the Personal Information Protection Law, the top-level legal design in China's data protection field has been completed. Data compliance has gradually become an issue of concern to all companies, and the huge fines have also triggered heated discussions in the public opinion. Behind this excitement, we seem to lack some panoramic views of practice. We want to know what happened in the two or three years since the implementation of the three laws.

Here, we report on the findings from our mix-method research, which surveyed XNUMX administrative fine cases and interviewed high impact professionals and legal experts from the industry and academia. Participants were selected with snowball sampling starting from the members’ interpersonal network. Our research aims to understand which sectors or actions have received the most regulatory attention.

<strong>KEY FINDINGS</strong><br><br> This report provides statistics-based counterarguments to tackle several conventional yet prevalent misunderstandings about China’s administrative fines:<br> (1) Leniency is more common than severity. The statistics show that warnings and small fines well under $15,000 comprise 92% of punishments. This counters the view that Chinese enforcement automatically levies heavy-handed penalties. <br> (2) Lighter punishments like warnings and small fines are more common than harsh penalties: The dispersed regional distribution of cases, like Guangxi's large volume, imply enforcement energies vary locally more than a top-down directive. This qualifies perceptions of stringent centralized control.<br> (3) Financial rules target risks, not protectionism. Specialized banking/insurance regulations focus on risk management areas that predate growing data value, mitigating notions of recent opportunism. <br> (4) Individual accountability is rarely enforced. Relatively few fines exceeding $10,000 for individuals suggest individual accountability serves mainly deterrent rather than retributive purposes. <br> (5) Private assistance faces limits. Foreign penalization only arose indirectly via supplier reviews, with no reports of independent private sector targeting at odds with perceived overreach.

STRUCTURE

In Chapter One ""Overview of Law Enforcement", we first explore the key topics covered in our analysis of China's cybersecurity law enforcement regime. We begin by conceptualizing the enforcement landscape, outlining the key statistics that define the breadth and focus of enforcement activities. We then examine the dimensions that constitute enforcement under each law, from the Cybersecurity Law to the Data Security Law and Personal Information Protection Law.;

In Chapter Two"Typical Case", we delve deeper into how enforcement is carried out in practice. We analyze the typical cases that authorities focus on, from failures to take appropriate security measures to data leaks and incidents involving personal information rights. We also consider how certain violations may place some entities in more vulnerable regulatory situations;

In Chapter Three"Extension and discussion", we review the administrative framework for online data governance and the procedures that authorities follow in applying cybersecurity laws. We additionally incorporate expert perspectives on challenges and opportunities in this evolving field. Finally, we reflect on lessons learned from this analysis regarding continued risk mitigation, business responses, and the balance of security, oversight and individual autonomy in China's digital regulatory environment.

Author